An interesting concept, but how exploitable is it really? The author suggests some sort of online game, but it is difficult to imagine a serious threat when there is a requirement for the end-user to type in the commands hidden in a larger text. How many times would you type in an exact text without using copy/paste (thus negating the impact)?

It does show, however, how seriously and deeply the analysis of browser weaknesses goes. Security researcher really do leave no stone unturned, and browsers are better for it.

[quote]it is difficult to imagine a serious threat when there is a requirement for the end-user to type in the commands hidden in a larger text. How many times would you type in an exact text without using copy/paste (thus negating the impact)?[/quote]

Quite true, and my thoughts [i]exactly[/i] when I first had a look at the examples the author lays forth. But when you think about how often you are keying into forum or blogging <textarea> elements you quickly realize how the keystrokes can be compared and focus accepted and then returned.

And what is happening in the example put forth by the author is a simple demonstration of monitoring the characters being pressed on the keyboard. A predetermined filename has been constructed based on the charCode of each character desired in the filename desired from the user's pc. As the unknowing user is keying information into the <textarea>, each keystroke is monitored and compared and if it matches the character next in sequence the focus() is moved to the hidden <input type="file"> element and the onkeypress event stores that value in that field before the focus() is passed back to the <textarea> where the keystroke is being displayed.

Think about how often and what you key into a message here at WebmasterWorld and if the forum software uses ubbcodes, you are hitting the slash character quite often, making it very easy to build filepaths. As a matter of fact, go back and put the big characters together from this post
;)
/etc/passwd