Internet Explorer Exploit Lets Hackers Track Your Mouse Movements

    December 12, 2012
    Zach Walton
    Comments are off for this post.

With Windows 8, Microsoft promises that Internet Explorer is good again. The latest release, IE10, is being promoted through a self-deprecating ad campaign that encourages good will through humor. It’s looking like Microsoft is starting to take its browser seriously, but a recent exploit shows that that might not be the case.

Spider.io, a Web analytics platform, reports that they found an exploit in Internet Explorer 6-10 that allowed hackers to track a user’s mouse movement. This exploit was reported to Microsoft at the beginning of October, but no action was taken beyond admitting that the exploit existed. In an attempt to get Microsoft moving towards a fix, the company has gone public with its original report.

So, why is it so bad for hackers to track your mouse movements? The team at Spider.io explains the security risks in its original letter to Microsoft:

A security vulnerability in Internet Explorer, versions 6–10, allows your mouse cursor to be tracked anywhere on the screen, even if the Internet Explorer window is inactive, unfocused or minimised. The vulnerability is notable because it compromises the security of virtual keyboards and virtual keypads.

As a user of Internet Explorer, your mouse movements can be recorded by an attacker even if you are security conscious and you never install any untoward software. An attacker can get access to your mouse movements simply by buying a display ad slot on any webpage you visit. This is not restricted to lowbrow porn and file-sharing sites. Through today’s ad exchanges, any site from YouTube to the New York Times is a possible attack vector. Indeed, the vulnerability is already being exploited by at least two display ad analytics companies across billions of webpage impressions each month. As long as the page with the exploitative advertiser’s ad stays open—even if you push the page to a background tab or, indeed, even if you minimise Internet Explorer—your mouse cursor can be tracked across your entire display.

For those who prefer a visual example, here’s a video of the exploit in action:

The real danger here is that the virtual keypad was created to combat the already widely in use keylogger that hackers use to steal passwords and other information entered via keyboard. Now with this hack, no password is safe until Microsoft patches it up. Unfortunately, it’s looking like Microsoft has no plans to do so.

It’s ridiculous that a company that so adamantly supported Do Not Track is blatantly allowing ad companies to track IE users with an exploit. It’s also reminiscent of a major security flaw found in Java that Oracle refused to patch until its next scheduled patch Tuesday. In the end, the company patched the exploit after enough people raised a stink. By going public, it’s obvious that Spider.io wants people to complain and push Microsoft into fixing this potentially dangerous exploit.

Until Microsoft fixes the exploit, I’d suggest using any one of the other browsers available, especially if you use virtual keypads. Who knows? You might even like it enough to stay. It’s obvious that Microsoft doesn’t care about its users if it doesn’t fix an exploit this dangerous.

[h/t: Wired UK]
  • Cornelius

    IE still sucks. But that in no way means that Microsoft doesn’t care about it’s users. Only a company like Microsoft could fight on so many fronts and still be relevant. Yes, Bing and Windows Phone are still relevant even if Windows mobile has less than 5% market share. Tell me what company sells operating systems, makes mobile firmwares, sells productivity suites, VIRTUAL machines, provides e-mail clients, provides a search engine, supports home entertainment and provides all those business tools that Microsoft offers? None but Microsoft.

  • http://www.enviroequipment.com Enviro Equipment Inc.

    What gets me is that in attempt to get more people to use its search engine, Bing, during the holiday season, Microsoft is running commercials stating that Google is disguising shopping ads as organic search results. Now we find out that Microsoft is failing to close a loophole in Internet Explorer that will allow companies to track user’s mouse movements.

    I’m not saying the two are exactly identical but there is hypocrisy going on here by Microsoft.

  • http://websterhedgesandspence.com Bryant

    All search engines are gathering information. But allow companies to steal our passwords is just wrong! Most users are unaware of the potential danger.
    Has this evidence been taken to news sources to inform the public?