Be careful what you type on your computer while surfing the Web. It very well could be funneled to a script kiddie who has appropriated a handful of lines of code and inserted it into his site.

The hack has been possible for years, but two proofs of concept published this month graphically demonstrate just how easy it is for even savvy people to fall for it. Both demonstrations use JavaScript to hijack the search command found in all standard browsers. The script is activated when a user presses the ctrl+f or ⌘+f keys, causing whatever is typed after that to be sent to a server under the control of the website operator rather than to the browser's search box.

Proofs of concept here and here show how this method could be used to trick people into divulging their password or credit card number respectively. The pages pose as lists that catalog leaked user data and invite visitors to search it to see if their information is included.

To be sure, the demos are crude. The search bars that are opened are only a rough approximation of the search bars found in Google's Chrome browser. And of course, they look nothing like the search interfaces found in Internet Explorer, Firefox, or other browsers. But as security expert Bruce Schneier once noted, exploits only get better. There's nothing stopping a determined attacker from improving the hacks so they present an authentic-looking box that's customized for whatever browser and operating system an end user happens to be using. Other browser functions, such as the ctrl+s or ⌘+s save commands, could also be intercepted and replaced with a fake dialog box that instructs users to enter their administrator password.

The "browser event hijacking" hack uses JavaScript's preventDefault function, which cancels an operation while allowing all remaining handlers for the event to be executed. The code for the password-stealing demo looks like this:

$(window).keydown(function(evt){ if((evt.which == "70" && (evt.metaKey || evt.ctrlKey))){ console.log("STRG+F"); evt.preventDefault(); /* display fake search */ $("#searchbox").slideDown(110); $('#search').focus();

More technical details about the exploits are here and here.

Neohapsis blogger Ben Toews said he raised the issue with members of Google's Chrome team and "it was labeled as a low-priority issue." He said he's not sure he disagrees with the assessment, but thinks the issue needs to be addressed.

There are at least two possible solutions to reduce threats like these. One is tweaking the user interface so search boxes are in a part of the browser that can't be confused with Web content. Browser designers who wanted to adopt this approach might be able to learn from changes Microsoft has made to recent versions of Windows that cause Web content to be shaded when sensitive system messages are being displayed. An alternate fix could involve displaying a warning when sites call preventDefault to cancel events registered as a browser key binding.

Given the frequency of posts purporting to contain passwords, credit card numbers, and other details leaked from popular websites, it's not a stretch to think plenty of people use the search feature to see if their personal information is included. If you've ever typed data into a browser search box that you wouldn't want outsiders to see, you're in good company.

"This is has been possible for quite some time," said Jeremiah Grossman, CTO of Web security firm WhiteHat Security. He went on to say it would be easy for even security-savvy people to fall for such a scheme. "I couldn't tell you with any certainty I haven't."