An attacker can record your mouse movements anywhere on the screen even if the IE window is minimized, unfocused or inactive, according to the Microsoft IE 6 - 10 vulnerability information posted on Seclists' Bugtraq.
As a user of Internet Explorer, your mouse movements can be recorded by an attacker even if you are security conscious and you never install any untoward software. An attacker can get access to your mouse movements simply by buying a display ad slot on any webpage you visit. This is not restricted to lowbrow porn and file-sharing sites. Through today's ad exchanges, any site from YouTube to the New York Times is a possible attack vector. Indeed, the vulnerability is already being exploited by at least two display ad analytics companies across billions of webpage impressions each month. As long as the page with the exploitative advertiser's ad stays open-even if you push the page to a background tab or, indeed, even if you minimize Internet Explorer—your mouse cursor can be tracked across your entire display.
Spider.io claims there are only "two ways to measure the viewability of display ads. Only one of these ways is comprehensive. Only one is accurate across the long tail of exchange inventory." One of those ways [video] was developed by Spider.io, as Microsoft was quick to point out. Spider.io also provided a demonstration for the data leakage from IE. To test it out, it's recommended that you use IE, so I did and here is what it showed:
Spider.io also provided a "game to illustrate how easily this security vulnerability in Internet Explorer may be exploited to compromise the security of virtual keyboards and virtual keypads."
According to the challenge to Steal from IE users, "We typed out twelve credit-card numbers, telephone numbers, usernames, passwords and email addresses using a virtual keyboard and mouse. As a bit of fun, and also to show you how easy it is to do, we're challenging you to decipher the corresponding mouse traces and reconstruct what we typed as quickly as you can." There are currently 102 users listed on leaderboard for stealing from IE users.
Maybe you think "big deal; what real privacy risks could come from capturing your mouse movements?" Below is a "screencast showing how the security vulnerability in Internet Explorer may be used to track the mouse cursor over the Skype keypad despite the Internet Explorer window not being the active window and despite the mouse cursor not actually being over the Internet Explorer window."
Dean Hachamovitch, Microsoft's corporate vice president for Internet Explorer, blogged that "Microsoft is working closely with other companies to address the concern of mouse position movement. From what we know now, the underlying issue has more to do with competition between analytics companies than consumer safety or privacy."
Online advertisers started a shift (link) "from a 'served' to a 'viewable' impression[s]." Many different analytics companies stepped up to compete in this space. That competition has had many public results, including lawsuits (link). One of the companies involved in this space is Spider.io, which recently reported an issue in IE involving mouse pointer information. Spider.io is an advertising analytics company.
Although Microsoft is "actively working to adjust this behavior in IE," Hachamovitch wrote, "There are similar capabilities available in other browsers" and that "the only reported active use of this behavior involves competitors to Spider.io providing analytics."
However, Spider.io took issue with that and replied: "It is important to clarify that other browsers do not leak mouse-cursor position outside of the browser window in the way that Internet Explorer does." Furthermore, the company's CEO Douglas de Jager told Jeremy Kirk "that it is a notable data leak and that Microsoft's accusation is an attack on his company. He said in an interview that at least one other ad analytics company was aware of the flaw but deliberately decided not to use it to gather display ad statistics."
Additionally, Spider.io wrote, "It has been suggested that exploitation of the vulnerability to compromise login details and other confidential information is 'theoretical', 'hard to imagine' and would require 'serving an ad to a site that asks for a logon.' This is not the case. Ads do not need to be served to sites requiring login details. Ads need only to be served to some page which is open in Internet Explorer." The company said that if you are using Chrome for banking, but if IE is opened, even minimized, then you are at risk.
Spider.io disclosed the flaw to Microsoft in October 2012 and reported at that time, "Whilst the Microsoft Security Research Center has acknowledged the vulnerability in Internet Explorer, they have also stated that there are no immediate plans to patch this vulnerability in existing versions of the browser."
Like this? Here's more posts:
- 'Everyone in US under virtual surveillance;' Are you sure you have nothing to hide?
- Feds monitor Facebook: What you 'Like' may make you a terrorist
- Killer robots, indestructible drones & drones that fly and spy indefinitely
- Naughty or nice? Verizon DVR will see and hear you to find out before delivering ads
- Terrorism Fear button and funding: Ridiculous DHS spending
- Social media surveillance helps the government read your mind
- Microsoft provides fusion center technology & funding for surveillance
- You + Big Data = Not Anonymous; Microsoft develops Differential Privacy for everyone
- Intelligence report predicts IT in 2030, a world of cyborgs with Asia as top power
- Digital privacy in the big data era: Microsoft's data protection keynote
Follow me on Twitter @PrivacyFanatic
Ms. Smith (not her real name) is a freelance writer and programmer with a special and somewhat personal interest in IT privacy and security issues. Smith has a diverse background in information technology, programming, web development, IT consulting, and information security. She focuses on the unique challenges of maintaining privacy and security, both for individuals and enterprises. She has worked as a journalist and has also penned many technical papers and guides covering various technologies. Smith is herself a self-described privacy and security freak.
Smith is an independent contractor and is not affiliated with any vendor that makes or sells information technology.
Policy on comments: Respectful discussion is welcomed! However comments that use inappropriate language, consist of name calling or personal attacks, or include accusations of wrongdoing are not appropriate. Those comments will be deleted or edited