J.D. Tygar and Alma Whiten
Carnegie Mellon University

Abstract

World Wide Web electronic commerce applications often require consumers to enter private information (such as credit card numbers) into forms in the browser window. If third parties can insert trojan horse applications onto a consumer's machine, they can monitor keyboard strokes and steal private information.

This paper outlines a simple way to accomplish this using Java or similar remote execution facilities. We implemented a simple version of this attack. We give a general method, window personalization, that can thwart or prevent this attack.

View the full text of this paper in HTML and POSTSCRIPT (8,041,072 Bytes)

To Become a USENIX Member, please see our Membership Information.