A software engineer from online analytics company Spider.io is claiming that a security flaw in Internet Explorer 6-10 could allow attackers or advertisers to track user's mouse movements, potentially compromising data entered via virtual keyboards.
Nick Johnson, who previously worked for Google before joining Spider.io, posted details of the flaw on the Bugtraq mailing list this morning.
Knowing the position of the cursor has significant ramifications for authentication systems that use a virtual keyboard as a means to circumvent keyloggers. Virtual keyboards that randomise key placement would likely be unaffected.
Johnson also believes that it would be relatively trivial for an attacker to use the flaw on high-traffic and generally trusted sites by purchasing advertising space on popular sites.
"Through today's ad exchanges, any site from YouTube to the New York Times is a possible attack vector. Indeed, the vulnerability is already being exploited by at least two display ad analytics companies across billions of web page impressions each month."
The nature of the flaw means that the tracking of cursor movements is not simply restricted to Internet Explorer either. According to Johnson, so long as the page remains open, even if it has been placed in a background tab or the entire Internet Explorer application is minimised, it will continue to log movements.
Spider.io has developed a website demonstrating the flaw in action, although it does seem to have issues detecting multiple displays. It has also created a game where a trace of mouse movements is presented to users, who can then attempt to guess the corresponding input.