Keylogger for Mozilla Firefox

Browsers have become major component in everyday computing. We now have web applications for everything. Since we trust our personal data with these apps , A rise of security measures like HTTPS-only sites and two-factor authentication can be seen commonplace. But the most easy way to compromise security of a user is through browser plugins.

All the plugins submitted to mozilla or google are verified before it’s put on on their store. But there are problems in this approach. Most plugins aren’t produced by big companies. They’re often small tools an individual person makes to scratch their own itch and releases to the public. These plugins may be perfectly safe when you install them. However, there are companies that offer to buy plugins from their creators for good enough money. This can be tempting developers who created it. The company then takes control over the add-on and modifies it to add tracking script, advertisement scripts and sometimes you know malware.

So, I decided to write a keylogger to find out how easy it is to make one for firefox. In a day I was able to write working code which works as advertised. You can view it on github repo. Firefox-logger.

How it works?

Plugin itself if written in javascript (as expected) and relies on event listeners provided by firefox sdk. Logging keystroke was undocumented feature hidden inside firefox sdk, which I was able to find out after some digging around.

1
2
3
4
5
var observer = require("sdk/keyboard/observer").observer;
observer.on('keydown', function(event){
//do something
}

What if this API was not provided by firefox sdk? Then we simply could have injected some javascript code using pagemod module in sdk and logged in key-presses using

1
2
3
document.onkeypress = function(e) {
// do something
};

plugin also logs opened urls using tabs module

1
2
3
4
5
var tabs = require("sdk/tabs");
tabs.on('ready', function(tab){
// do something
});

Key strokes and urls are stored in temporary buffers which is then passed to network and storage modules every 2 seconds using setInterval() .

Network module sends data to log server running in some remote location in json format. We can also use socket.io to perform efficient network transaction but in this case it was just a simple code. If network is not there for some reasons then logs are stored locally using firefox’s simple-storage module. Since it has limit of 5 MB storage we clear simple-storage data as soon as network transaction is successful.

Server runs on nodejs using express and somewhat weird REST like api :P and logs data into file using a wonderful module called diskdb which stores data into json format into a file which is used for read/write operations. diskdb was chosen for being lightweight and easy to use , full fledged attack can also use some real database backend for faster data transaction.

Data can be retrieved back by sending server password in json format and server returns whole json log file.

Conclusion

You can read about on how to setup it on Readme file on github repo. Think twice before installing any kind of browser add-on and be sure to check what add-ons are installed in your browser regularly .