IE vulnerability lets in mouse tracking

By on
IE vulnerability lets in mouse tracking

A website analytics firms has discovered a security vulnerability in all current versions of Internet Explorer that allows attackers to trace mouse cursors anywhere on users' screens.

Spider.io, which reported the vulnerability, said the tracking can be done even if the Internet Explorer browser window is minimised.

The vulnerability can be exploited to capture virtual or screen keyboard input, Spider.io said.

Such input methods are typically used to reduce the risk of keylogger malware recording keystrokes on physical keyboards.

Virtual keyboards are also used by disabled people, and when there is no physical keyboard present.

Security vendor Kaspersky Lab uses a virtual keyboard as part of its Anti-Virus 2013 product to avoid interception of data. 

User names, passwords and credit card details can be captured through the exploit, according to Spider.io. 

Two unnamed display ad analytics companies already exploit the vulnerability, "across billions of page impressions a month," Spider.io said.

The company said that no software needs to be installed on victims' computers and the tracking is done entirely through Javascript embedded in webpages.

Thanks to Internet Explorer's event model populating the global Event object with mouse event attributes, and the ability to trigger events manually through the fireEvent() method, attackers can easily work out where on the screen the mouse cursor is placed.

This is irrespective of the tab or window containing the tracking Javascript being inactive or not in focus, or minimised. Several mouse and keyboard status properties can be read this way by attackers.

Spider.io has set up a demo page to show how the data leakage vulnerability works.

Other browsers such as Chrome, Opera and Firefox are not vulnerable to the exploit.

Microsoft's Security Research Centre has been notified by Spider.io and acknowledged the vulnerability in Internet Explorer.

However, according Spider.io, the MSRC said "there are no immediate plans to patch this vulnerability in existing versions of the browser."

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
hacking ie internet explorer microsoft security

Partner Content

Channel can help lead customers to boosting workplace wellbeing with professional headsets
Channel can help lead customers to boosting workplace wellbeing with professional headsets
Ingram Micro Ushers in the Age of Ultra
Ingram Micro Ushers in the Age of Ultra
Build cybersecurity capability with award winning Fortinet training from Ingram Micro
Build cybersecurity capability with award winning Fortinet training from Ingram Micro
Secure, integrated platforms enable MSPs to focus bringing powerful solutions to customers
Secure, integrated platforms enable MSPs to focus bringing powerful solutions to customers
How NinjaOne Is Supporting The Channel As It Builds An Innovative Global Partner Program
How NinjaOne Is Supporting The Channel As It Builds An Innovative Global Partner Program

Sponsored Whitepapers

Driving Innovation and Sustainability through Hybrid IT and AI Solutions
Driving Innovation and Sustainability through Hybrid IT and AI Solutions
Easing the burden of Microsoft CSP management
Easing the burden of Microsoft CSP management
Stop Fraud Before It Starts: A Must-Read Guide for Safer Customer Communications
Stop Fraud Before It Starts: A Must-Read Guide for Safer Customer Communications
The Cybersecurity Playbook for Partners in Asia Pacific and Japan
The Cybersecurity Playbook for Partners in Asia Pacific and Japan
Pulseway Essential Eight Framework
Pulseway Essential Eight Framework

Events

techpartner.news MSP index - Brisbane
techpartner.news MSP index - Brisbane
techpartner.news Channel Leader List / Golf day
techpartner.news Channel Leader List / Golf day
techpartner.news Pipeline Conference 2025
techpartner.news Pipeline Conference 2025
Integrate Expo 2025
Integrate Expo 2025
Security Exhibition & Conference 2025
Security Exhibition & Conference 2025

Most read articles

Dicker Data announces telco division, Vocus partnership

Dicker Data announces telco division, Vocus partnership
Evergreen acquires 100th MSP, Brisbane-based REDD

Evergreen acquires 100th MSP, Brisbane-based REDD
PC retailer Mwave acquired by digiDirect Group

PC retailer Mwave acquired by digiDirect Group
Announcing the 2025 Impact Awards partner project finalists

Announcing the 2025 Impact Awards partner project finalists

Log in

Email:
Password:
  |  Forgot your password?
By using our site you accept that we use and share cookies and similar technologies to perform analytics and provide content and ads tailored to your interests. By continuing to use our site, you consent to this. Please see our Cookie Policy for more information.