Developer Max Chehab has released a proof-of-concept attack that uses the built-in CSS support of a browser to log keystrokes in a password field.

Chehab’s attack consists of a Chrome Extension which captures passwords and sends them to a server the hacker controls. The code is on GitHub.

“This attack is really simple. Utilising CSS attribute selectors, one can request resources from an external server under the premise of loading a background image,” said Chehab.

To verify his concept, Chehab provided the following instructions:

Open a website that uses a controlled component framework such as React. Press the extension C on the top right of any webpage. Type your password. Your password should be captured by the express server.

Now read: Keylogger found in HP laptop drivers