World Wide Web electronic commerce applications often require consumers
to enter private information (such as credit card numbers) into forms in
the browser window. If third parties can insert trojan horse applications
onto a consumer's machine, they can monitor keyboard strokes and steal
private information.
This paper outlines a simple way to accomplish this using Java or
similar remote execution facilities. We implemented a simple version
of this attack. We give a general method, window personalization,
that can thwart or prevent this attack.