Security researcher Mario Heiderich reported to the maker of
This particular SVG keylogging attack was quite nasty, said Chris Eng, vice president of research at Veracode, a computer security research firm. “The way [it] works is that [the bad guy] binds the letter “a” to an action that causes the browser to sliently issue a request for http://evil.com/?a. Pressing “b” would trigger the browser to silently issue a request for http://evil.com/?b. By “silently” I mean that there’s no visual cues to the user that anything is happening–if you were monitoring the network you would see the requests. As long as the attacker controls evil.com and can access the web server logs, he can piece together what the victim is typing, one character at a time.”
Eng noted that this kind of problem always erupts whenever new standards are rolled out, especially with “extremely detailed and sometimes difficult to understand” attributes. You don’t have to go far to find evidence of this, either. Both Mozilla and Google offer hefty bounties for bug-hunters. Eng both cautioned against screaming that the sky was falling and said that this kind of attack was inherently more interesting to researchers.
As unlikely as Eng said it is for an average browser user to fall victim to these atypical but hard to implement attacks, Heiderich warned that it’s not anomalous. “The SVG keylogger is just one example of many, and by far not the most impact ridden one,” said Heiderich.
Another factor is that the major browser makers, including Google, Mozilla, Microsoft, Apple, and Opera, are all fairly responsive to fixing these threat vectors when discovered, said Grossman. But that doesn’t mean that there aren’t steps for the home user to take.
One way to minimize the risk from this kind of modern threat is to compartmentalize your risk, he said. “The best way [to protect yourself] is behavior, not product. Whether in Firefox, IE, or Chrome, I would use any one of the major browsers for secure browsing, such as banking or Facebook. For promiscuous browsing, such as news surfing, I use a different browser.