Twittering keylogger

3673642969_378bdec59c

[Kyle McDonald] sent in his latest project, a software keylogger that twitters what you type. He wrote it using C++ and OpenFrameworks. It logs each keystroke, then it posts to twitter 140 characters at a time. To protect himself, he set up a whitelist of private strings like passwords and credit card numbers that would be stripped before posting. If the twypewriter followed him, his keystrokes could be recreated.

[thanks Kyle]

Comments

  1. I think you meant his private strings are on the _blacklist_ instead of the _whitelist_.

    Anyways, cool project :P

  2. nimrod says:

    i was just about to write the same. but now that you was first, i guess the next step is on me: ‘smartass!’ ^^.

  3. Yeah, blacklist for “safe”/filtered words :)

    It could be cool to make some Windows API calls to find out what the current app in focus is, and only tweet messages from specific programs (e.g., skype, aim, etc.) That’d almost be “useful”, though, and I was aiming more for “ridiculous” :)

    I also posted the binaries if you’d like to try it out without compiling things. http://kylemcdonald.net/

  4. yu says:

    what is the point of it? why would anyone want to log their keystroke and upload it online?

  5. @yu: it’s not really a “practical” app, it’s more of an experiment for exploring the difference between “private” and “public” information. I’m also curious about why people post to twitter in the first place. Maybe it’s comforting to think that our random thoughts are worthwhile? I’m trying to understand these questions better, too.

  6. sunjester says:

    this is nothing more than a keylogger. i mean… cmon, just because it twitters doesnt mean it deserves a spot on hackaday….

    lame.

  7. @sunjester: I feel like hacking our expectations and beliefs (about things like privacy) can be just as essential as technically/scientifically interesting hacks. I agree, because it tweets doesn’t mean it belongs on hackaday :) [ditto with anything using an Arduino] But I submitted this project because I though hackaday readers might enjoy an old idea (a keylogger) used in an unusual way: to share “private information” on purpose.

  8. chris says:

    Interesting project! Thanks.

  9. Stu says:

    Yeah interesting, but I cant really see how it could be taken ‘forward’ to some other practical project, not to say it shouldn’t have been tried in the first place.
    One thing, make sure the blacklist file is at least encrypted strongly if its to hold passwords to filter out. Perhaps a more robust solution would be to not have the pwd in a text file, but compare keystrokes against the Windows SAM database hashes. Maybe. Okay maybe not! ;-)

  10. Thomascpp says:

    oh no,the two greatest evils in the world combined!

  11. anon says:

    ill be so happy when this twitter phenomenon is over

    there is just a limit to the amount of information that we need to know about you. facebook and myspace abutted the line but twitter has just completely blown it away.

  12. @anon: I totally agree.

  13. Dennis says:

    wow, that’ll make so many important new tweets, and raise the overall quality of new twitter posts worldwide SIGNIFICANTLY.
    XD

  14. Fake51 says:

    So, not only does the keylogger grab whatever he types, greatly increasing the chances of that “Oooops” moment … he also hardcoded important critical information into a blacklist? Please tell me he at least hashes the stuff instead of just sticking it in there in plaintext …

  15. @fake51: The blacklist has about 15 entries, where each entry is a piece of a filtered word/number, and they’re permuted so to be non-adjacent (e.g., the first four digits of my credit card number are not followed by the next four). I’m confident that the code won’t let me post anything it shouldn’t. If you wanted to get the information, you’d either have to steal my computer, crack my computer remotely and acquire the file (and de-permute the relevant keys), or find a way to attack the cURL lib that receives JSON responses from the Twitter API (which is running in a separate process, and returns input that I don’t touch). In other words, it’s about as safe as the “Saved Passwords” feature in Firefox, and more about convenience than security. Even if something got past it, would you really want to wade through hundreds of Twitter posts? :) If you have other ideas, send me an email!

  16. ReconServer says:

    http://www.reconserver.com is a keylogger that also takes screencaps and has a built in webserver.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 96,380 other followers