Internet Explorer bug tracks your mouse cursor
Spider.io's sample game demonstrates how the flaw in Internet Explorer can be used to capture security data entered into on-screen keypads.
Affecting Internet Explorer versions 6 through 10 inclusive, the flaw allows attackers to follow the mouse cursor regardless of where it is on the screen - even if it's not positioned over the IE window. Worse still, the cursor can be tracked even when Internet Explorer is minimised, so long as the application is still running in the background. The system also tracks the status of the shift, control and alt keys.
Currently, the company that discovered the flaw in Internet Explorer's event model, Spider.io, has found that the flaw is only being exploited by advertising analytic companies for shady user tracking and not by those with more malicious endeavours in mind - but the vulnerability could be used to monitor the use of on-screen keypads and selection boxes to enter security codes, a common feature of internet banking systems.
'As a user of Internet Explorer, your mouse movements can be recorded by an attacker even if you are security conscious and you never install any untoward software,' Spider.io warns. 'An attacker can get access to your mouse movements simply by buying a display ad slot on any webpage you visit. This is not restricted to lowbrow porn and file-sharing sites. Through today’s ad exchanges, any site from YouTube to the New York Times is a possible attack vector. Indeed, the vulnerability is already being exploited by at least two display ad analytics companies across billions of webpage impressions each month. As long as the page with the exploitative advertiser’s ad stays open—even if you push the page to a background tab or, indeed, even if you minimise Internet Explorer—your mouse cursor can be tracked across your entire display.'
Microsoft is reportedly aware of the flaw, but has stated that it has no plans to patch the vulnerability any time soon - leaving users of all its browser versions, including the much-improved Internet Explorer 10 found in Windows 8, vulnerable to attack.
A short game demonstrating how the vulnerability could be used to compromise the security of virtual keypads is provided at iedataleak.spider.io - although, obviously, it won't work in anything except Internet Explorer.
UPDATE 2012-12-14
Microsoft's Dean Hachamovitch, corporate vice president in charge of Internet Explorer, has issued a statement on the matter. 'We are actively working to adjust this behavior in IE. There are similar capabilities available in other browsers. Analytics firms can expect to do viewpoint detection in IE similarly to how they do this in other browsers,' Hachamovitch claimed, while downplaying the severity of the bug and accusing Spider.io of blowing the issue out of proportion in order to make rival analytic companies look bad. 'From what we know now, the underlying issue has more to do with competition between analytics companies than consumer safety or privacy. The only reported active use of this behavior involves competitors to Spider.io providing analytics.'
No timescale for a patch has yet been provided by the company.
Previous Article
26 Comments
Discuss in the forums ReplyBesides all that if there is a security hole of any shape it should be patched soon after its discovered, it might be a "useless" thing to day but who knows how it will morph. Fit the lock before the horse even realises there is a door.
Maybe because they cant, maybe fixing it will mean disabling some important feature.
Its not good to say your not going to fix a security related bug as that is all most people will take away from it, that M$ isn't worried about peoples security.
I have never know Microsoft to publish details of a bug before they release the update to fix it, normally you get the update and they give details of what that update fixes.
http://forums.bit-tech.net/showthread.php?t=253175
What was it I said earlier? exactly that :)
Maybe not,
UPDATE 2012-12-14
Microsoft's Dean Hachamovitch, corporate vice president in charge of Internet Explorer, has issued a statement on the matter. 'We are actively working to adjust this behavior in IE. There are similar capabilities available in other browsers. Analytics firms can expect to do viewpoint detection in IE similarly to how they do this in other browsers,' Hachamovitch claimed.
I am sure this would be useful for advertisers but you can already track a mouse position in JS. The only difference here is that it happens even outside of the IE window. It's a bug but I think its been overhyped.
Say for example you had a site open with this script loaded that tracked your mouse movements, how will it know what it is that you are moving your mouse over on the screen?
It should be patched but I think its not critical compared to exploits that allow executing malicious code and things like that
That's an interesting statement. Any idea which browsers?
No other browsers are mentioned by name I wonder if he is just stirring things up or scaremongering? If Mozilla, Google etc, deny it he might have to prove it or eat his words!
Yeh, sounds a little fishy....if it isn't true then could be an interesting time ahead, but it may as some folks have said quite difficult to know exactly where the cursor is hovering or what its clicking....so it may have been considered a minimal risk exploit and folks have not bothered to patch as a general rule.....I wonder if there is an browser add-on or app that actually utilises such a feature as part of the browser design?
"Ghostery sees the "invisible" web, detecting trackers, web bugs, pixels, and beacons placed on web pages by Facebook, Google Analytics, and over 1,000 other ad networks, behavioral data providers, web publishers - all companies interested in your activity".
I'm going to give it a try, probably quite daunting when you find out just how intensely your surfing is monitored and what these companies do is apparently not illegal but the opportunities for exploitation are obvious, even if a site is https which protects against Man-in-the-middle attacks if some kind of cursor tracker/keylogger has been hidden in the page just how safe are you when entering personal/card details
The web it creates its interesting to look at.