|
|
|
|
|
|
by Diggsey
1795 days ago
|
|
|
Exactly. Plus, you don't even need to spoof anything - you can show the real login page! There are many ways, but one particularly undetectable one would be to clear cookies and local-storage (causing the user to be logged out). Then use the history API to change the URL to the login page, and finally load the real login page in a full-screen iframe. Since the iframe contents are on the same domain, you can just reach in an extract the username & password fields as the user enters them. |
|
|