From: br@scndprsn.Eng.Sun.COM (Benjamin Renaud)
Date: Tue, 30 Jan 1996 15:26:45 +0800
To: joseph@genome.wi.mit.edu
Subject: Re: FL Demonstrates Fatal Flaw in Logins
Message-ID: <199601300603.WAA11063@springbank.Eng.Sun.COM>
MIME-Version: 1.0
Content-Type: text/plain



A couple of posts have raised the issue of doing the FV keyboard-capture
attack using Java.

|However, I don't know much about Java, would it be possible to make such an
|applet with Java?

The only events a Java applet is privy to are those that are typed in
an applet window (and only those it itself spawned). So if a user types
their credit card number in an applet window, the applet could send the
information back to its server (and to that server only). 

In theory, it is possible to make an applet which appears to be selling
something, get people to visit the page it's on, convince these people
to enter their credit card numbers, and send those back to the server
of origin. Of course, once this happens, you always know what host the
applet came from (unless the thief, in order to get a few credit card
numbers, has hacked DNS so that it's harder to track it).

That's the extent of the risk.

-- Benjamin Renaud
   Java Products Group