FNB website blocking password managers

PH03NIX-ZA

Member
Joined
Nov 18, 2010
Messages
10
This post is similar to two other threads relating to FNB's banking apps (here and here), but since it's about their website instead, I thought that it deserved its own thread.

So I tried to log in using KeepassXC today and not only did the FNB site block pasting (in a way that bypasses common methods of bypassing these blockers such as this) from it but even it's autotype.

So to avoid FNB dictating my password management routine and imposing what I believe to be less secure password habits, I decided to bypass their blocks using a Python script, which I quickly wrote and will share here for inspiration.

It was only run with Python3.7 and requires pynput, which is pip installable.

Python:
from time import sleep
from pynput.keyboard import Key, Controller


TO_TYPE = "Test!1.>"

# Deal with needing to manually press shift for certain keys
upper_non_alpha = list('~!@#$%^&*()_+{}|:"<>?')
lower_keys = list("`1234567890-=[]\;',./")
upper_non_alpha_map = dict(zip(upper_non_alpha, lower_keys))

keyboard = Controller()

# Give time to change focus to new window
sleep(3)

for char in TO_TYPE:
    if char.isupper() or char in upper_non_alpha:
        with keyboard.pressed(Key.shift):
            if char.isupper():
                actual_car = char.lower()
            else:
                actual_car = upper_non_alpha_map[char]
            keyboard.press(actual_car)
            keyboard.release(actual_car)
    else:
        keyboard.press(char)
        keyboard.release(char)
      
  
print("Done!")
You use it by replacing the text referenced by TO_TYPE, executing it and within 3 seconds, clicking on the password field.

After inspecting the site's code, I noticed that any characters typed out by an autotyper (keepass or Python) that normally needed shift to be accessed, such as $, > or any capital letter, gave the same unicode value of 231 to the javascript keydown event handler, and FNB filtered out any unicode values that could not be typed by hand it seemed.

This means that I would have to explicitly use shift in my script when a character called for it. This would have to be determined automatically. For upper-case letters that were easy, but less so for special or punctuation characters.
I ended up just doing it the simplistic way and made a map between those keys (eg: !) and their lower case equivalents (eg: 1) in order to know how to type the former in a way that the FNB site would not be the wiser for.

This probably won't work for different language keyboards (I standardize on US Int), unfortunately, but it's a start.
 
Top