A keylogger written in pure CSS

Developer Max Chehab has released a proof-of-concept attack that uses the built-in CSS support of a browser to log keystrokes in a password field. Chehab’s attack consists of a Chrome Extension which captures passwords and sends them to a server the hacker controls. The code is on GitHub[1].

“This attack is really simple.

Utilising CSS attribute selectors, one can request resources from an external server under the premise of loading a background image,” said Chehab.

To verify his concept, Chehab provided the following instructions:

  1. Open a website that uses a controlled component framework such as React.
  2. Press the extension C on the top right of any webpage.
  3. Type your password.
  4. Your password should be captured by the express server.

Now read: Keylogger found in HP laptop drivers[2]


  1. ^ GitHub (
  2. ^ Keylogger found in HP laptop drivers (

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.