IE and Firefox Share a Vulnerability
Very true. First time I tried it, it got as far as c:bo and stopped cos I was typing too fast. That wouldn't be any use at all.
Mind you, the likelihood of people typing sufficiently slowly for this to catch the keystrokes is high enough to warrant this as a threat. However, that's only if the attacker knew the name of the file to look for. I guess to pull something from My Documents they just need the user to type in their Windows username (eg c:\Documents and settings\[username goes here]\My Documents - they could fill in the rest themselves), but then they'd have to append the document name, say, document1.doc to the end.
If they don't know the filename, this attack is dead in the water. Why would someone enter the name of a document on their system just because some random webpage asks?
I suppose a fix for this would be a warning prompt when a file is about to be sent. Any other suggestions? Is this solution too obtrusive?