facebook rss twitter

Internet Explorer vulnerability allows hackers to track mouse

by Mark Tyson on 13 December 2012, 18:30

Tags: Internet Explorer

Quick Link: HEXUS.net/qabqfr

Add to My Vault: x

Today Microsoft has confirmed it is looking into an Internet Explorer vulnerability that allows a hacker to track the movements of your mouse cursor. The flaw is such that the mouse cursor can be tracked, even if the browser isn’t currently the active window being used. This is a worrying security risk as the data could reveal a users’ input upon a virtual keyboard such as those used in online secure banking forms.

Have a look below at the exploit in action as a “hacker” watches Skype keypad input.

Analytics company Spider.io first found the vulnerability back in October and reported it to Microsoft at that time. This Internet Explorer vulnerability is present within all editions of the browser from IE6 to IE10. To exploit it a hacker needs to display an advertisement on any page that you visit, while that tab remains open all your mouse movements can be tracked. On its blog Spider.io states that “The vulnerability is particularly troubling because it compromises the security of virtual keyboards and virtual keypads.”

Spider.io told Wired that “a number of web analytics companies are already making use of this ability to track cursor movements” to optimise web sites and advertisement placement. A Microsoft spokesman today told TNW that “We are currently investigating this issue, but to date there are no reports of active exploits or customers that have been adversely affected.” While no decision upon any action has yet been made the spokesman said “We will provide additional information as it becomes available and will take the appropriate action to protect our customers.”

A potential attacker needs to know quite a bit about a screen layout before successfully tracking IE user inputs writes Wired. However the exploit would be extremely useful to a hacker who already had malware on the system and it could be used to complement a key-logging program, for example.


HEXUS Forums :: 9 Comments

Login with Forum Account

Don't have an account? Register today!
I'd love to watch them track mine, I dance it to the music and use it to guide my eyes when reading text. On top of that I just like to wave it round based on my mood! :D
Ditto, they'd go nuts watching mine constantly drawing boxes on the desktop and highlighting text randomly, drives my gf nuts :D
can't help but think this is just another ‘IE=(GOOD|BAD)’ makes pages impressions story.
More worrying would be if this could be used to track touch enabled devices' finger movements, considering we'd mostly be talking about standard keyboard layouts there. Imagine this scenario where you browse various sites using a tab enabled browser and one of the tabs has this exploit running without you knowing. You then navigate to other tabs and complete purchases, enter your credit card details,… all by typing on a virtual keyboard that's easy enough to anticipate its location and layout. Now, that is indeed worrying. I didn't investigate the MS touch APIs in IE, but if they're using similar or even same APIs as for any other HID, this is hackers gold. It would actually be extremely easy for MS to solve this by simply tracking IE mouse movements (or any other HID events) when the caller window is active and limit that tracking to active window's system events, like in any other application. Funny enough, they aren't doing it yet. IE must be written off as some procedural garbage, simple as that.
can't help but think this is just another ‘IE=(GOOD|BAD)’ makes pages impressions story.
Probably true. Then again I stopped using IE two or three bad-stories-about-it ago - even on Windows I use Chrome or Firefox, and if I could be bothered to disable IE I probably would.

But for the sake of the folks who do use IE, I hope Microsoft are taking this seriously and generating a patch…