IE flaw allows attackers, advertisers to track cursor movement

IE flaw allows attackers, advertisers to track cursor movement

Summary: Advertisers have been using a flaw in Internet Explorer to log the mouse movements of users, an issue that could be used to log authentication data entered via virtual keyboards.

SHARE:

A software engineer from online analytics company Spider.io is claiming that a security flaw in Internet Explorer 6-10 could allow attackers or advertisers to track user's mouse movements, potentially compromising data entered via virtual keyboards.

Nick Johnson, who previously worked for Google before joining Spider.io, posted details of the flaw on the Bugtraq mailing list this morning.

"Internet Explorer's event model populates the global Event object with some attributes relating to mouse events, even in situations where it should not. Combined with the ability to trigger events manually using the fireEvent() method, this allows JavaScript in any web page (or in any iframe within any web page) to poll for the position of the mouse cursor anywhere on the screen and at any time — even when the tab containing the page is not active, or when the Internet Explorer window is unfocused or minimized."

Knowing the position of the cursor has significant ramifications for authentication systems that use a virtual keyboard as a means to circumvent keyloggers. Virtual keyboards that randomise key placement would likely be unaffected.

Johnson also believes that it would be relatively trivial for an attacker to use the flaw on high-traffic and generally trusted sites by purchasing advertising space on popular sites.

"Through today's ad exchanges, any site from YouTube to the New York Times is a possible attack vector. Indeed, the vulnerability is already being exploited by at least two display ad analytics companies across billions of web page impressions each month."

The nature of the flaw means that the tracking of cursor movements is not simply restricted to Internet Explorer either. According to Johnson, so long as the page remains open, even if it has been placed in a background tab or the entire Internet Explorer application is minimised, it will continue to log movements.

Spider.io has developed a website demonstrating the flaw in action, although it does seem to have issues detecting multiple displays. It has also created a game where a trace of mouse movements is presented to users, who can then attempt to guess the corresponding input.

Topics: Security, Malware, Microsoft, Privacy

Michael Lee

About Michael Lee

A Sydney, Australia-based journalist, Michael Lee covers a gamut of news in the technology space including information security, state Government initiatives, and local startups.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

11 comments
Log in or register to join the discussion
  • And for touch screen devices?

    I wonder whether with touch screen virtual keyboards, IE populates the global event model with the position of the touch, therefore allowing the virtual key touched to be extrapolated. It depends, I guess, on whether a virtual keystroke also registers as a cursor position. Probably not, but it strikes me that all the touch screen Windows users out there might like to know.
    stephenkendrick
  • Yes, this is a CRITICAL bug...

    ... for all those people who click on an on-screen keyboard with a mouse.

    I can probably count on one finger the number of times in the past 10 years I've done that. Anyone else affected by this dire issue?
    Speednet
    • it does

      sort of blow picture passwords out of the water unless they are sized and positioned randomly with each login.
      don3605
    • Government websites...

      ...that give government employees access to personal data (training, pay records, benefits, etc.) use a virtual keyboard, however the keys on the virtual keyboard are randomized (which makes it a pain in the backside to get to your own data quickly).

      Additional mitigation (along with the randomized virtual keyboard is that government employeess have to have a CAC (Common Access Card) plugged into a card reader so they have two factor authentication.
      PollyProteus
  • Firefox, too!

    I use Firefox extensively, and it seems to suffer from the same problem. Now, when I go to any web site partially supported by ads (e.g. eBay, mail2web), words show up with mysterious underlining/highlighting. Mistakenly slide your cursor over one of these words and up pops a useless pop-up advertising something equally useless to me. Advertisers who go in this direction do not seem to realize that annoying potential customers is not the way to sell something... Ben Myers
    ben_myers
  • And more too!

    I have noticed the rollover-ad popup, which is annoying since it is often necessary to cross over the ad trigger to get to where I want, especially when using a laptop touchpad rather than a "real" mouse. In addition, I have noted that (in Firefox) while on Youtube, after using the mouse or touchpad anywhere on the image to adjust volume, etc, EVEN after clicking on open space, the keyboard up-down keys no longer work to scroll the page; and after viewing an Adobe PDF within Firefox, Ctrl-F4 no longer closes the tab, requiring me to use the X on the tab with the mouse instead.

    One of the comments asked why anyone would want to click on a virtual keyboard with a mouse. The article pointed out that some security-minded login pages REQUIRE their password to be entered with a virtual keyboard, in order to bypass keyboard logger malware. The threat here is that the web site could act as a virtual keyboard logger.

    This has to be disallowed in all browsers for both aesthetic reasons and security reasons.
    jallan32
  • Another ad annoyance!

    While we are talking about web ad annoyances, I have noted that many web pages (including those on this site) have so many ads loaded that, when I scroll down to see the body of an article while ads are still loading, there is at least one sudden, unexpected scroll back up to the top to see an ad picture that was not loaded when I started. The only workaround is to wait an extra 30 to 60 seconds staring at the top of the page until ALL the ad pictures have loaded, before scrolling down to the article. How about modifying browsers so that changes to the page ABOVE the currently scrolled portion do not display until the user MANUALLY scrolls up?
    jallan32
    • you can try this

      Try installing the NoScript add-on in FireFox and adjusting the settings to suit your needs. :-)
      sg1efc
  • What if ...

    one's virtual keyboard application, when launched, changes both its size and location on the display randomly?
    Rabid Howler Monkey
  • scripts

    If you don't allow Java scripting you don't have a problem. If you run IE 8/9/10 with tracking protection and you have loaded the correct protection lists then the analytics companies don't get sent anything.
    mswift1
  • What about programs like RoboForm and KeyScrambler

    Wouldn't those programs thwart them collecting any useable information !?!
    mik3