Internet Explorer flaw allows attackers to track your mouse movements

Filed Under: Data loss, Featured, Internet Explorer, Microsoft, Privacy, Security threats, Vulnerability, Web Browsers

Mouse cursor. Image from ShutterstockResearchers have found a security hole in Internet Explorer, potentially giving hackers a way of tracking your mouse cursor movements, even if your window is inactive, minimised or unfocused.

The vulnerability is particularly worrisome given that it thwarts the use of virtual keyboards and virtal keypads, which are used as a defence against keyloggers.

The vulnerability was discovered by spider.io, vendor of a hosted platform that the company says allows users to distinguish between human website visitors and bots in real time.

Here's a brief video where the issue is demonstrated:

Spider.io discovered the flaw on 1st October and disclosed it to Microsoft, informing the company that IE versions 6-10 are affected.

Microsoft Security Research Center acknowledged the flaw but isn't jumping on a fix, telling spider.io that it has "no immediate plans" to patch it in existing browser versions.

So spider.io went public on Tuesday.

The cursor flaw gives attackers access to an IE user's mouse movements even if he or she has abstained from installing funky software.

Attackers can access visitors' mouse movements just by buying a display ad slot on any website, and those sites aren't just the dark alleyways of the Internet, spider.io says:

"This is not restricted to lowbrow porn and file-sharing sites. Through today’s ad exchanges, any site from YouTube to the New York Times is a possible attack vector."

In fact, the vulnerability is actively being exploited by at least two display ad analytics companies across "billions of webpage impressions each month," spider.io says.

That goes for any page that stays open, even if a visitor pushes it to a background tab or minimises IE altogether, given that "your mouse cursor can be tracked across your entire display," says the company.

The vulnerability gives attackers the ability to easily snatch passwords or credit card details, all without the trouble of installing a keylogger.

Of course, as spider.io says, virtual keyboards are typically used to reduce the chance that a hacker can record keypresses with hardware keyboard interceptors or keyloggers.

In order to demonstrate how easy it is to exploit, spider.io has turned the tracking bug into a game, which can be found here.

Screenshot of demo from Spider.io

I would report on how it plays, but like Richard Chirgwin over at The Register, when it comes to IE, I'm a teetotaller. I never touch the stuff.

Spider.io says that for the game, they typed out 12 credit card numbers, telephone numbers, usernames, passwords and email addresses using a virtual keyboard and mouse.

The challenge is to decipher the corresponding mouse traces and reconstruct what they typed as quickly as possible - a task that they assure visitors will get across the ease of the exploit.

The leader, as of Thursday, was a visitor who reconstructed the 12 keyboard patterns in 24 minutes 53 seconds.

The technical details of the vulnerability have to do with IE's event model, which populates the global Event object with attributes relating to mouse events, even when it should pipe down about them, spider.io says.

That chattiness, combined with the ability to trigger events manually with a method called fireEvent(), allows JavaScript on any website or in any iFrame to query for the cursor position anywhere on the screen, at any time, regardless of the page being minimised or inactive.

That same fireEvent method also exposes the status of control, shift and alt keys, spider.io says.

Should we anticipate a fix soon?

Take what I view as a lackadaisical response from Microsoft, mix it with the prospect of a few billion devalued ad clicks, and see how fast that cupcake rises.

In other words, probably not.

In the meantime, while we're waiting for a possible fix, the best solution - if you are worried about this flaw - is to use a different browser than Internet Explorer.


Mouse cursor image from Shutterstock.

, , , , , , , ,

You might like

11 Responses to Internet Explorer flaw allows attackers to track your mouse movements

  1. Trent · 646 days ago

    Thanks for brining this to my attention, I guess there won't be a fix it soulution from M.S. until they release a path, if they ever do. I'm one of those people who started off using IE. in the mid 90's and although I try, I can't seem to stop using it as my default broswer.

  2. JimboC_Security · 646 days ago

    I think Lisa is right about the possibility of a fix especially since it can devalue ad clicks. According to a blog post on the IE blog:

    “We are actively working to adjust this behavior in IE. There are similar capabilities available in other browsers. Analytics firms can expect to do viewpoint detection in IE similarly to how they do this in other browsers. We will update this blog with more information as it is available".

    Source: http://blogs.msdn.com/b/ie/archive/2012/12/13/upd...

    From a separate article, Microsoft stated the following:

    "it will provide further information as soon as it receives it and will be acting on it to protect its customers".

    Source: http://www.h-online.com/security/news/item/Intern...

    Apologies for linking to external sources but I feel that it should provide some reassurance.

    Thanks.

  3. jim · 646 days ago

    I doubt if MS is worried about devalued mouse clicks as much as devalued stock shares. When THOSE become effected, expect change.

  4. re: "allows JavaScript"

    Why can't this be dealt with by simply turning javascript off in IE? Or uninstalling Java completely?

    !TIA!

  5. MikeP_UK · 646 days ago

    Many use Firefox, Opera or Chrome because IE is so flawed. Trouble is, does the IE flaw also affect the use of these other browsers considering that a large part of IE is running in the background anyway?
    M$ should be shamed into fixing it rather than putting it a back burner.

    • Tor · 646 days ago

      Then again, when was the last time MS actually released something good? The majority still use WinXP. I believe the main reason people still use it is because they've never tried any other OS.

      Anyway, if I've understood the text correctly, you will need to have a page with said ad OPEN (wether it's minimised, in the back or whatnot doesn't matter). So if you just CLOSE IE, other applications shouldn't be affected.

  6. Joshua · 646 days ago

    People shouldn't be using IE in the first place. It's a terrible browser.

  7. John · 644 days ago

    I always open a new Internet Explorer instance before logging onto banking websites. If I'm going to do online banking, it looks like I need to do this before doing any other surfing. (This also implies that my bank hasn't decided to host 3rd party ads in a greedy money making attempt!)

  8. PLAyer · 644 days ago

    Just go ahead and publicly release the code so we can use it.
    -- China

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

I've been writing about technology, careers, science and health since 1995. I rose to the lofty heights of Executive Editor for eWEEK, popped out with the 2008 crash, joined the freelancer economy, and am still writing for my beloved peeps at places like Sophos's Naked Security, CIO Mag, ComputerWorld, PC Mag, IT Expert Voice, Software Quality Connection, Time, and the US and British editions of HP's Input/Output. I respond to cash and spicy sites, so don't be shy.