If a browser is hijacked, can the hijacker install keyloggers?
Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
If it's just a piece of JavaScript that doesn't exploit browser bugs, it will stop when the tab/browser is closed.
But if a cracker finds a browser bug which allows them to execute code outside the browser sandbox, all bets are off.
Restarting the desktop would be unnecessary for the former, but may have no impact for the latter.
If you think a machine is compromised, disconnecting from the network is more important than restarting, (and changing auth for any potentially compromised accounts).
If it's just a piece of JavaScript that doesn't exploit browser bugs, it will stop when the tab/browser is closed.
But if a cracker finds a browser bug which allows them to execute code outside the browser sandbox, all bets are off.
Restarting the desktop would be unnecessary for the former, but may have no impact for the latter.
If you think a machine is compromised, disconnecting from the network is more important than restarting, (and changing auth for any potentially compromised accounts).
Let's say they know this is my linux account. They figure out the password and go into it and put code somewhere whereby when i log into the account, they are on my browser and have full access as if they were connecting to my computer via a remote access trojan.
But with a RAT, i've read that they are not able to put something permanent on the OS.
How are they figuring out the password? Are you so clueless as to use an easily guessable password? With your user password and sudo active, anyone can do anything. With the root password, anyone can do anything. Change your password regularly, use reasonably complex passwords, and you shouldn't need to worry much. Targeting an individual computer running Linux is not a profitable enterprise. Why would anyone go to the trouble of hacking into your computer and installing a keylogger? There has to be a high reward for such effort in order for anyone to even try it. I take reasonable precautions, but I don't lie awake nights worrying about someone trying to take over my computer. There just isn't enough value in it to make it worthwhile. Any sites with value attached, such as banks, Google, etc have two-factor authentication enabled, so even a keylogger won't gain access. All passwords are in my password safe, and I copy/paste those.
There is usually an annual hack event where groups try to exploit common desktop systems. Some years the hackers do it by gaining access via browser. They have done it by scripts, java and images and maybe a few other ways.
I don't claim that it's impossible, only that it's not worth attempting barring unusual circumstances. I'm one of billions of computers connected to the internet. Someone would need a serious reason to target me, and there are so many Windows computers which are much easier targets.
Some years the hackers do it by gaining access via browser. They have done it by (...) images
Saying one can be hacked by images (meaning graphic image files like JPG) is a misleading simplification. "Through images" might be acceptable. An image file is passive. It might contain malicious code, but it doesn't actively hack you, even if you open it in an image viewer.
There have been cases where malicious code was hidden in image metadata which might then get executed by software reading & interpreting this metadata, IIRC.
A very specific hack. I cannot find the relevant news item now, but IIRC it was specific to GNOME and mostly harmless.
Last edited by ondoho; 12-06-2020 at 03:33 AM.
Reason: image disambiguation (in brackets)
But if a cracker finds a browser bug which allows them to execute code outside the browser sandbox, all bets are off.
This is the relevant bit. This is why we keep our browsers & operating systems up-to-date.
But by design, browsers allow javascript execution only in a sandbox. My guess is that this sandbox is page specific, i.e. it can't even look inside another page, so what you describe below should not be possible.
Quote:
Originally Posted by blooperx3
Let's say they know this is my linux account. They figure out the password and go into it and put code somewhere whereby when i log into the account, they are on my browser and have full access as if they were connecting to my computer via a remote access trojan.
In any case, even the premise "they know this is my linux account" seems very unlikely. What's a "linux account"? Who are "they", and how do "they know"?
Quote:
But with a RAT, i've read that they are not able to put something permanent on the OS.
I have no idea what a RAT is and I have never been hacked (famous last words ).
Generally speaking, sane browsing habits require:
regularly cleaning out local data & storage
using a safe password vault/manager
allowing javascript and 3rd party requests only selectively, on trusted sites
Of course, "trust" is tricky and never absolute.
Let's say, I wouldn't trust certain sites some spammers post. Meaning I would not click those links except _maybe_ in TOR BRowser.
But for most sites: I do not trust them with my personal data, but I would trust them to not contain malicious code.
...ymmv...
Some browser hijacking can be easily reversed, while other instances may be difficult to reverse. Various software packages exist to prevent such modification.
Let's say they ... have full access as if they were connecting to my computer via a remote access trojan.
But with a RAT, i've read that they are not able to put something permanent on the OS.
Full access means full access.
Restarting basically clears RAM.
Unless you have a read-only Live system (with no writable drives/storage attached at all) then full access allows persistent malware, irrespective of how the access was originally gained.
Restarting does not prevent remote access. Physically disconnecting compromised machines from the network prevents remote access.
Google, and perhaps Mozilla, offers handsome bounties to anyone who can show that they've compromised their browser, far more than they would get from shaking down private users. They don't pay out much. There are many very competent security experts working hard every day to prevent that sort of thing. Taking over a modern browser is very hard. That's why updates come along so often - as security issues are found, they're patched, and people are constantly searching. Having random hackers take over your browser and installing keyloggers is not a realistic threat. If a specific government entity wants to do it, it's perhaps possible, but that entity would need a reason. Keyloggers are not being installed on random home computers. And again, it's very hard to do this. The only really viable way to do this is to gain physical possession of the machine for the necessary time. Breaking into your house while you're gone is far easier and more reliable than trying to gain entry through your browser.
In one of my social media accounts that i rarely ever use, i had a complex password there for a very long time (couple / years). Someone got into the account and put something there - my guess would be a script, but i don't know much about code/malware.
So when i logged in they got on to my computer shortly thereafter with no question they were on. But before i logged into that account they were not on; after i restarted and shut the tab/logged out for social media account, they did not get back on.
But when it comes to putting keyloggers on my desktop, with the kind of access described, can they do that?
A good question is: how long would it take to install keyloggers with this kind of access to the computer? If it would take 15 minutes vs 3 three minutes, that would tell me a lot, like whether or not they could do it based on how long i have my browser open at one time - which is usually not a long time.
Someone got into the account and put something there - my guess would be a script, but i don't know much about code/malware.
So when i logged in they got on to my computer shortly thereafter with no question they were on. But before i logged into that account they were not on; after i restarted and shut the tab/logged out for social media account, they did not get back on.
The last sentence is the most relevant bit.
I question everything you wrote before that. You cannot "put a script into an account" where it then gets executed when you log in.
If anything, I'd say the whole site where the account resides was compromised. Or you used the same password elsewhere.
You have changed the password since, right?!?!
Without more information it's difficult impossible to say more, it's just another of those threads: "conspiracy myth 1, therefore I got hacked, therefore conspiracy myth 2".
As you see, I'm even questioning that you got hacked in the first place.
There is, to me, absolutely a question of whether 'they' were on your computer. Running javascript from a website is not the same thing. Javascript is running on almost every website, some more benign than others. Many websites simply won't function properly without it. But it's easy enough to prohibit javascript globally, and whitelist essential trusted sites if you feel the need. Just saying that there is no question someone was 'on your computer' does not make questioning it impossible, other than in one's own mind.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.