Internet Explorer vulnerability permits mouse cursor tracking

By on
Internet Explorer vulnerability permits mouse cursor tracking

Vulnerability being exploited.

A website analytics firms has discovered a security vulnerability in all current versions of Internet Explorer that allows attackers to trace mouse cursors anywhere on users' screens.

Spider.io, which reported the vulnerability, said the tracking can be done even if the Internet Explorer browser window is minimised.

The vulnerability can be exploited to capture virtual or screen keyboard input, Spider.io said.

Such input methods are typically used to reduce the risk of keylogger malware recording keystrokes on physical keyboards.

Virtual keyboards are also used by disabled people, and when there is no physical keyboard present.

Security vendor Kaspersky Lab uses a virtual keyboard as part of its Anti-Virus 2013 product to avoid interception of data. 

User names, passwords and credit card details can be captured through the exploit, according to Spider.io. 

Two unnamed display ad analytics companies already exploit the vulnerability, "across billions of page impressions a month," Spider.io said.

The company said that no software needs to be installed on victims' computers and the tracking is done entirely through Javascript embedded in webpages.

Thanks to Internet Explorer's event model populating the global Event object with mouse event attributes, and the ability to trigger events manually through the fireEvent() method, attackers can easily work out where on the screen the mouse cursor is placed.

This is irrespective of the tab or window containing the tracking Javascript being inactive or not in focus, or minimised. Several mouse and keyboard status properties can be read this way by attackers.

Spider.io has set up a demo page to show how the data leakage vulnerability works.

iTnews tested with Internet Explorer versions 9 on Windows 7 and 10 on Windows 8, and can confirm that the mouse cursor tracking exploit works on both.

Other browsers such as Chrome, Opera and Firefox are not vulnerable to the exploit.

Microsoft's Security Research Centre has been notified by Spider.io and acknowledged the vulnerability in Internet Explorer.

However, according Spider.io, the MSRC said "there are no immediate plans to patch this vulnerability in existing versions of the browser."

Copyright © iTnews.com.au . All rights reserved.
Tags:
In Partnership With

Most Read Articles

Log In

Username / Email:
Password:
  |  Forgot your password?