Gathering passwords with the JAWS builtin keylogger

JAWS so helpfully contains a built-in script that logs all keys pressed on the keyboard. This method has a better chance of working on XP than the others. You must have a user account on the machine to make this work.

1. Open Keyboard manager, and open the default file. Add a key to the “ToggleKeyboardLogging” script.

2. Once done, log out of the machine. Your profile will still be loaded. Press that key. The only thing JAWS will say is “enabled”. Log into the machine, then open keystrokes.log in your jaws program directory. all keys pressed will be there, from the last time the script was enabled.


Tags: ,

4 Responses to “Gathering passwords with the JAWS builtin keylogger”

  1. Kevin Says:

    these problems should be privately given to FreedomScientific to fix. If you think you’re hurting FS, well your actually hurting the blind community instead. Think about what you do, as your actions effect all people who use the software.

  2. Tyler Spivey Says:

    I don’t see it this way. FS Probably knew about these types of vulnerabilities since at least jaws 8, since that’s when vista support and Secure desktop support got added. As long as it doesn’t take too much effort on my part for me to find these, I’ll continue posting them.
    Freedom Scientific hasn’t said anything, positive or negative about my efforts. I at least expected a note in the changes in the just released JAWS 11, or a security advisory of some sort to come out, but they stay silent. This silence is troubling, because security vulnerabilities should never be silently fixed.

    I realize this leaves those using older versions of JAWS in an insecure state, but we have no control over that. As long as the full jfw.exe runs under the Secure Desktop, this possibility will always exist. I may not be able to find more problems, but those who have more abilities than I do probably could.

  3. Doug Lee Says:

    If you tell FS quietly, you help protect blind people. If you tell the world before they can address a problem, you encourage misuse of your information. This is a well accepted rule in security management. It is also common sense: If you want someone to work with you, don’t antagonize them. :) Beyond that though, it is my opinion that you are stepping into very dangerous legal waters here by actually encouraging the very sorts of exploits you claim to oppose. I’m not a laywer, nor is this legal advice; but if it were me, I’d want legal advice before making a public policy of exposing security flaws to the world as the first indication of their existance.

  4. James Scholes Says:

    Way to go, JAWS! So, let’s see, I can gain admin access without typing a password, then use JFW to log a user’s keystrokes so that next time I don’t have to use the same method to gain admin access. There’s nothing like multi-purpose software, is there?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: