IE flaw allows attackers, advertisers to track cursor movement

Advertisers have been using a flaw in Internet Explorer to log the mouse movements of users, an issue that could be used to log authentication data entered via virtual keyboards.
Written by Michael Lee, Contributor

A software engineer from online analytics company Spider.io is claiming that a security flaw in Internet Explorer 6-10 could allow attackers or advertisers to track user's mouse movements, potentially compromising data entered via virtual keyboards.

Nick Johnson, who previously worked for Google before joining Spider.io, posted details of the flaw on the Bugtraq mailing list this morning.

"Internet Explorer's event model populates the global Event object with some attributes relating to mouse events, even in situations where it should not. Combined with the ability to trigger events manually using the fireEvent() method, this allows JavaScript in any web page (or in any iframe within any web page) to poll for the position of the mouse cursor anywhere on the screen and at any time — even when the tab containing the page is not active, or when the Internet Explorer window is unfocused or minimized."

Knowing the position of the cursor has significant ramifications for authentication systems that use a virtual keyboard as a means to circumvent keyloggers. Virtual keyboards that randomise key placement would likely be unaffected.

Johnson also believes that it would be relatively trivial for an attacker to use the flaw on high-traffic and generally trusted sites by purchasing advertising space on popular sites.

"Through today's ad exchanges, any site from YouTube to the New York Times is a possible attack vector. Indeed, the vulnerability is already being exploited by at least two display ad analytics companies across billions of web page impressions each month."

The nature of the flaw means that the tracking of cursor movements is not simply restricted to Internet Explorer either. According to Johnson, so long as the page remains open, even if it has been placed in a background tab or the entire Internet Explorer application is minimised, it will continue to log movements.

Spider.io has developed a website demonstrating the flaw in action, although it does seem to have issues detecting multiple displays. It has also created a game where a trace of mouse movements is presented to users, who can then attempt to guess the corresponding input.

Editorial standards