A security hole discovered in Internet Explorer has been found to be potent enough to track a user's cursor movements, even if their window is inactive, minimised or unfocused. Naked Security reports that the vulnerability was first brought to light by spider.io, vendor of a hosted platform that the company says allows users to distinguish between human website visitors and bots in real time. Interestingly, Spider.io informed the existence of the flaw to Microsoft in October, while adding that the IE version 6-10 were affected. While Microsoft Security Research Center admitted to there being a flaw, it informed spider.io that it has “no immediate plans” to patch it in existing browser versions; it was then that it revealed the flaw.
The security loophole essentially allows attackers to track an IE user's mouse movements, even if they haven't installed any software as such. All that attackers have to do is buy a display ad slot on any website. Spider.io adds, “This is not restricted to lowbrow porn and file-sharing sites. Through today’s ad exchanges, any site from YouTube to the New York Times is a possible attack vector.”
The video below demonstrates the loophole
Dean Hachamovitch, Corporate Vice President, Internet Explorer, has on his part elaborated, “We are actively working to adjust this behavior in IE. There are similar capabilities available in other browsers. Analytics firms can expect to do viewpoint detection in IE similarly to how they do this in other browsers. We will update this blog with more information as it is available.”
“The loophole is actively being exploited by at least two display ad analytics companies across billions of webpage impressions each month,” spider.io says. The report highlights that this holds true for any page that is open, even if a visitor pushes it to a background tab or minimises IE altogether, since a mouse cursor can be tracked across the user's entire display.
The vulnerability allows attackers to steal passwords and credit card information without having to even install a keylogger. “Of course, as spider.io says, virtual keyboards are typically used to reduce the chance that a hacker can record keypresses with hardware keyboard interceptors or keyloggers,” the report adds.
Hachamovitch adds, “From investigating the specific behavior when mouse position data is visible outside the browser window, sites can view only the mouse state; they cannot view the actual content that the user is interacting with. From our conversations with security researchers across the industry, we see very little risk to consumers at this time. As we have stated previously, there are no reported cases of any consumer having their information compromised.”
Cover image credit: Getty Images