Passwords are supposed to protect our online accounts and data from unauthorized access. But what if hackers could bypass passwords and steal them directly from your screen? That’s the scary scenario that a new pixel-stealing exploit can enable, according to security researchers from the University of Michigan and the University of Illinois at Urbana-Champaign.

The exploit, dubbed PixelSteal, is based on a technique called pixel stealing, which allows an attacker to read the pixels of another application’s window without its permission. Pixel stealing has been known for a long time, but it was mostly used for benign purposes, such as screen recording or remote desktop applications. However, the researchers found a way to use pixel stealing for malicious purposes, such as reading usernames, passwords, credit card numbers, and other sensitive data from web browsers, email clients, and other applications.

The researchers demonstrated the exploit on Windows 10, but they said it could also work on other operating systems, such as Linux and macOS. The exploit works by creating a transparent window that covers the target application’s window, and then using the Windows API function GetPixel to read the color values of the pixels underneath. The exploit can also use optical character recognition (OCR) to convert the pixel values into text.

The exploit is stealthy and hard to detect, because the transparent window does not interfere with the user’s interaction with the target application, and the pixel reading process does not generate any network traffic or disk activity. The exploit can also evade antivirus software and other security mechanisms, because it does not use any malicious code or inject any DLLs into the target application.

The researchers tested the exploit on several popular applications, such as Google Chrome, Mozilla Firefox, Microsoft Edge, Microsoft Outlook, and Adobe Acrobat Reader. They were able to successfully read usernames, passwords, credit card numbers, and other sensitive data from these applications, as well as from websites such as Gmail, Facebook, Twitter, Amazon, and PayPal. They also showed that the exploit can read data from password managers, such as LastPass and KeePass, which are supposed to protect passwords from being exposed.

The researchers said that the exploit is not limited to reading text, but can also read images, such as QR codes, barcodes, and CAPTCHAs. This could enable the attacker to perform other attacks, such as impersonating the user, bypassing authentication, or accessing restricted services.

The researchers reported the exploit to Microsoft, but they said that Microsoft did not consider it a security vulnerability, because it requires the attacker to have physical access to the victim’s machine or to trick the user into running a malicious application. However, the researchers argued that these are not unrealistic scenarios, especially in the context of phishing, social engineering, or insider threats.

The researchers suggested some possible countermeasures to mitigate the exploit, such as disabling the GetPixel function, encrypting the pixels of sensitive data, or using a secure input method that does not rely on pixels. However, they also acknowledged that these countermeasures may have negative impacts on the usability and compatibility of applications.

Passwordless Authentication: The Future of Security

One of the most effective ways to prevent the pixel-stealing exploit and other password-based attacks is to eliminate passwords altogether. Passwordless authentication is an authentication method that allows a user to verify their identity without entering a password or answering security questions. Instead, the user provides some other form of evidence, such as a fingerprint, a face scan, a voice recognition, a proximity badge, or a hardware token code.

Passwordless authentication has many advantages over password-based authentication, such as:

Passwordless authentication is not a new concept, but it has become more feasible and widespread in recent years, thanks to the advances in biometric technology, mobile devices, and cryptographic standards. Many online services, such as Microsoft, Google, Facebook, and Apple, already offer passwordless authentication options to their users, such as Windows Hello, Google Prompt, Facebook Login, and Apple Face ID. Many organizations, such as banks, governments, and enterprises, are also adopting passwordless authentication solutions to enhance their security and user experience.

Passwordless authentication is not a one-size-fits-all solution, but rather a spectrum of options that vary in terms of security, usability, and compatibility. Depending on the context and the requirements, different passwordless authentication methods may be more suitable than others. For example, biometric authentication may be more convenient and secure for personal devices, but may raise privacy and accessibility issues for shared devices. Hardware token authentication may be more reliable and universal for web applications, but may require additional devices and infrastructure.

Passwordless authentication is not a silver bullet, but rather a step forward in the evolution of authentication. It does not eliminate all the security challenges, but rather shifts them to other aspects, such as device security, identity verification, and user consent. Passwordless authentication also does not replace all the security best practices, but rather complements them with other layers, such as encryption, multifactor authentication, and zero trust.

Passwordless authentication is the future of security, but it is not the end of security. It is a promising and progressive way to protect our online accounts and data from unauthorized access, but it also requires continuous improvement and adaptation to the changing threats and needs. Passwordless authentication is not only a technical solution, but also a cultural change that requires the awareness and participation of both users and providers.