A vulnerability affecting Internet Explorer versions 6 through 10 could make it possible for a hacker to monitor the movements of your mouse, even if the browser window is minimized.
MORE SECURITY: With BYOD, data breaches just waiting to happen
According to UK-based web analytics firm Spider.io, this means that passwords and PINs could be captured by a canny thief if they are typed on a virtual (on-screen) keyboard. What's more, it's already being exploited by two display advertising networks, the company said, though it did not name them in its statement.
"As long as the page with the exploitative advertiser's ad stays open - even if you push the page to a background tab or, indeed, even if you minimize Internet Explorer - your mouse cursor can be tracked across your entire display," Spider.io said.
The company added that, while the problem has been acknowledged by the Microsoft Security Research Center, there are apparently no immediate plans for a patch.
Spider.io also published the technical details of the exploit, which involves the browser's global Event object, as well as a game demonstrating how it could be used to monitor user input to a virtual keyboard.
UPDATE: Microsoft has since published an official blog post on the issue, saying that the risk to consumer privacy is almost entirely theoretical, and that "the underlying issue has more to do with competition between analytics companies than consumer safety or privacy." [Also see: "Microsoft mulls Internet Explorer information disclosure leak"]