Researchers have found a security hole in Internet Explorer, potentially giving hackers a way of tracking your mouse cursor movements, even if your window is inactive, minimised or unfocused.
The vulnerability is particularly worrisome given that it thwarts the use of virtual keyboards and virtal keypads, which are used as a defence against keyloggers.
The vulnerability was discovered by spider.io, vendor of a hosted platform that the company says allows users to distinguish between human website visitors and bots in real time.
Here’s a brief video where the issue is demonstrated:
Spider.io discovered the flaw on 1st October and disclosed it to Microsoft, informing the company that IE versions 6-10 are affected.
Microsoft Security Research Center acknowledged the flaw but isn’t jumping on a fix, telling spider.io that it has “no immediate plans” to patch it in existing browser versions.
So spider.io went public on Tuesday.
The cursor flaw gives attackers access to an IE user’s mouse movements even if he or she has abstained from installing funky software.
Attackers can access visitors’ mouse movements just by buying a display ad slot on any website, and those sites aren’t just the dark alleyways of the Internet, spider.io says:
"This is not restricted to lowbrow porn and file-sharing sites. Through today’s ad exchanges, any site from YouTube to the New York Times is a possible attack vector."
In fact, the vulnerability is actively being exploited by at least two display ad analytics companies across “billions of webpage impressions each month,” spider.io says.
That goes for any page that stays open, even if a visitor pushes it to a background tab or minimises IE altogether, given that “your mouse cursor can be tracked across your entire display,” says the company.
The vulnerability gives attackers the ability to easily snatch passwords or credit card details, all without the trouble of installing a keylogger.
Of course, as spider.io says, virtual keyboards are typically used to reduce the chance that a hacker can record keypresses with hardware keyboard interceptors or keyloggers.
In order to demonstrate how easy it is to exploit, spider.io has turned the tracking bug into a game, which can be found here.
I would report on how it plays, but like Richard Chirgwin over at The Register, when it comes to IE, I’m a teetotaller. I never touch the stuff.
Spider.io says that for the game, they typed out 12 credit card numbers, telephone numbers, usernames, passwords and email addresses using a virtual keyboard and mouse.
The challenge is to decipher the corresponding mouse traces and reconstruct what they typed as quickly as possible – a task that they assure visitors will get across the ease of the exploit.
The leader, as of Thursday, was a visitor who reconstructed the 12 keyboard patterns in 24 minutes 53 seconds.
The technical details of the vulnerability have to do with IE’s event model, which populates the global Event object with attributes relating to mouse events, even when it should pipe down about them, spider.io says.
That same fireEvent method also exposes the status of control, shift and alt keys, spider.io says.
Should we anticipate a fix soon?
Take what I view as a lackadaisical response from Microsoft, mix it with the prospect of a few billion devalued ad clicks, and see how fast that cupcake rises.
In other words, probably not.
In the meantime, while we’re waiting for a possible fix, the best solution – if you are worried about this flaw – is to use a different browser than Internet Explorer.
Mouse cursor image from Shutterstock.