Today Microsoft has confirmed it is looking into an Internet Explorer vulnerability that allows a hacker to track the movements of your mouse cursor. The flaw is such that the mouse cursor can be tracked, even if the browser isn’t currently the active window being used. This is a worrying security risk as the data could reveal a users’ input upon a virtual keyboard such as those used in online secure banking forms.
Have a look below at the exploit in action as a “hacker” watches Skype keypad input.
Analytics company Spider.io first found the vulnerability back in October and reported it to Microsoft at that time. This Internet Explorer vulnerability is present within all editions of the browser from IE6 to IE10. To exploit it a hacker needs to display an advertisement on any page that you visit, while that tab remains open all your mouse movements can be tracked. On its blog Spider.io states that “The vulnerability is particularly troubling because it compromises the security of virtual keyboards and virtual keypads.”
Spider.io told Wired that “a number of web analytics companies are already making use of this ability to track cursor movements” to optimise web sites and advertisement placement. A Microsoft spokesman today told TNW that “We are currently investigating this issue, but to date there are no reports of active exploits or customers that have been adversely affected.” While no decision upon any action has yet been made the spokesman said “We will provide additional information as it becomes available and will take the appropriate action to protect our customers.”
A potential attacker needs to know quite a bit about a screen layout before successfully tracking IE user inputs writes Wired. However the exploit would be extremely useful to a hacker who already had malware on the system and it could be used to complement a key-logging program, for example.