A quick shoulder surfing hack and how to protect yourself
LEGAL DISCLAIMER: This "hack" has been performed on my own computer, for educational purposes only. Don't use it against other people's systems, unless you've been given explicit written permission by their owners. I'm not responsible for any unintended use of these instructions.
When we hear about security breaches in the news, we immediately think of Matrix-like scenarios, where the Pentagon or NSA fight a cyber war against the bad guys.
Real-life scenarios are a little different and less exciting than you could think. Not all hacks rely on technical skills solely.
A hacker is a manipulation master and a psychology expert, too. Sometimes it's much easier to guess a password than trying to break it, if an organization doesn't enforce appropriate policies and weak passwords are used.
Social engineering can be more successful than breaking into a heavily hardened system.
The hack I'm going to show is quick and effective and requires only a minimal HTML knowledge.
NOTATION: In this post I adopted a wide definition of shoulder surfing, looking toward the future, rather than sticking to a strict academical notion. Shoulder surfing is usually defined like the activity of someone who tries to look over your shoulder to grab your username/password, or other information on screen, by being personally present.
NOTATION: In this post I adopted a wide definition of shoulder surfing, looking toward the future, rather than sticking to a strict academical notion. Shoulder surfing is usually defined like the activity of someone who tries to look over your shoulder to grab your username/password, or other information on screen, by being personally present.
Scenario
The hack can be attempted in two scenarios:
- Someone calls you on the phone (social engineering) pretending he/she's a help desk and asks you to enter username and password to a certain website without clicking Submit yet.
- You enter username and password for a website without clicking Submit and step away from your computer for a while without locking it.
In both cases, an unauthorized person (shoulder surfing) could simply select the password field with the mouse, right-click it and choose Inspect element. 
This will allow to access the HTML code of the page. At this point, it's enough to navigate the code to a line starting with <input type="password" 
By changing the input type to "test", we'll be allowed to see the password in clear text.
With a minimal knowledge, a would-be hacker could steal your password and wreak havoc. You should never EVER allow this kind of situations and should always lock your work computer when you step away.
Hope this little contribution can raise more awareness and can help you secure your computers better.
The weak link of cyber security is people. Sadly there's often too much focus on technology, overlooking social and psychological components, which is a very costly mistake.
The weak link of cyber security is people. Sadly there's often too much focus on technology, overlooking social and psychological components, which is a very costly mistake.
Comments
Post a Comment