Twittering Keylogger


[Kyle McDonald] sent in his latest project, a software keylogger that twitters what you type. He wrote it using C++ and OpenFrameworks. It logs each keystroke, then it posts to twitter 140 characters at a time. To protect himself, he set up a whitelist of private strings like passwords and credit card numbers that would be stripped before posting. If the twypewriter followed him, his keystrokes could be recreated.

[thanks Kyle]

16 thoughts on “Twittering Keylogger

  1. Yeah, blacklist for “safe”/filtered words :)

    It could be cool to make some Windows API calls to find out what the current app in focus is, and only tweet messages from specific programs (e.g., skype, aim, etc.) That’d almost be “useful”, though, and I was aiming more for “ridiculous” :)

    I also posted the binaries if you’d like to try it out without compiling things.

  2. @yu: it’s not really a “practical” app, it’s more of an experiment for exploring the difference between “private” and “public” information. I’m also curious about why people post to twitter in the first place. Maybe it’s comforting to think that our random thoughts are worthwhile? I’m trying to understand these questions better, too.

  3. @sunjester: I feel like hacking our expectations and beliefs (about things like privacy) can be just as essential as technically/scientifically interesting hacks. I agree, because it tweets doesn’t mean it belongs on hackaday :) [ditto with anything using an Arduino] But I submitted this project because I though hackaday readers might enjoy an old idea (a keylogger) used in an unusual way: to share “private information” on purpose.

  4. Yeah interesting, but I cant really see how it could be taken ‘forward’ to some other practical project, not to say it shouldn’t have been tried in the first place.
    One thing, make sure the blacklist file is at least encrypted strongly if its to hold passwords to filter out. Perhaps a more robust solution would be to not have the pwd in a text file, but compare keystrokes against the Windows SAM database hashes. Maybe. Okay maybe not! ;-)

  5. ill be so happy when this twitter phenomenon is over

    there is just a limit to the amount of information that we need to know about you. facebook and myspace abutted the line but twitter has just completely blown it away.

  6. So, not only does the keylogger grab whatever he types, greatly increasing the chances of that “Oooops” moment … he also hardcoded important critical information into a blacklist? Please tell me he at least hashes the stuff instead of just sticking it in there in plaintext …

  7. @fake51: The blacklist has about 15 entries, where each entry is a piece of a filtered word/number, and they’re permuted so to be non-adjacent (e.g., the first four digits of my credit card number are not followed by the next four). I’m confident that the code won’t let me post anything it shouldn’t. If you wanted to get the information, you’d either have to steal my computer, crack my computer remotely and acquire the file (and de-permute the relevant keys), or find a way to attack the cURL lib that receives JSON responses from the Twitter API (which is running in a separate process, and returns input that I don’t touch). In other words, it’s about as safe as the “Saved Passwords” feature in Firefox, and more about convenience than security. Even if something got past it, would you really want to wade through hundreds of Twitter posts? :) If you have other ideas, send me an email!

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.