Skip Links

Microsoft downplays privacy risk from IE bug as Steal from IE Users game launches

Does tracking the position of your mouse cursor pose a privacy risk? While Microsoft claims the vulnerability in IE 6 -10 is exaggerated, Spider.io created a Steal from IE Users game.

By Ms. Smith on Sun, 12/16/12 - 12:54pm.

Does tracking the position of your mouse cursor pose a privacy risk? A UK company said some advertisements are setup with JavaScript to determine the mouse position and thereby determine if an ad was displayed in the browser window. Advertising analytics company Spider.io claimed that two companies were exploiting this via a flaw in Microsoft IE 6 - 10. Microsoft said Spider.io has exaggerated the impact of this vulnerability in order to make its competitors look bad.

An attacker can record your mouse movements anywhere on the screen even if the IE window is minimized, unfocused or inactive, according to the Microsoft IE 6 - 10 vulnerability information posted on Seclists' Bugtraq.

As a user of Internet Explorer, your mouse movements can be recorded by an attacker even if you are security conscious and you never install any untoward software. An attacker can get access to your mouse movements simply by buying a display ad slot on any webpage you visit. This is not restricted to lowbrow porn and file-sharing sites. Through today's ad exchanges, any site from YouTube to the New York Times is a possible attack vector. Indeed, the vulnerability is already being exploited by at least two display ad analytics companies across billions of webpage impressions each month. As long as the page with the exploitative advertiser's ad stays open-even if you push the page to a background tab or, indeed, even if you minimize Internet Explorer—your mouse cursor can be tracked across your entire display.

Spider.io claims there are only "two ways to measure the viewability of display ads. Only one of these ways is comprehensive. Only one is accurate across the long tail of exchange inventory." One of those ways [video] was developed by Spider.io, as Microsoft was quick to point out. Spider.io also provided a demonstration for the data leakage from IE. To test it out, it's recommended that you use IE, so I did and here is what it showed:

Spider.io demonstration of data leakage from Internet Explorer, mouse, ALT, Ctrl, ShiftIt did track the mouse everywhere across the screen as well as the control, shift and alt keys.

Spider.io also provided a "game to illustrate how easily this security vulnerability in Internet Explorer may be exploited to compromise the security of virtual keyboards and virtual keypads."

According to the challenge to Steal from IE users, "We typed out twelve credit-card numbers, telephone numbers, usernames, passwords and email addresses using a virtual keyboard and mouse. As a bit of fun, and also to show you how easy it is to do, we're challenging you to decipher the corresponding mouse traces and reconstruct what we typed as quickly as you can." There are currently 102 users listed on leaderboard for stealing from IE users.

Maybe you think "big deal; what real privacy risks could come from capturing your mouse movements?" Below is a "screencast showing how the security vulnerability in Internet Explorer may be used to track the mouse cursor over the Skype keypad despite the Internet Explorer window not being the active window and despite the mouse cursor not actually being over the Internet Explorer window."

Dean Hachamovitch, Microsoft's corporate vice president for Internet Explorer, blogged that "Microsoft is working closely with other companies to address the concern of mouse position movement. From what we know now, the underlying issue has more to do with competition between analytics companies than consumer safety or privacy."

Online advertisers started a shift (link) "from a 'served' to a 'viewable' impression[s]." Many different analytics companies stepped up to compete in this space. That competition has had many public results, including lawsuits (link). One of the companies involved in this space is Spider.io, which recently reported an issue in IE involving mouse pointer information. Spider.io is an advertising analytics company.

Although Microsoft is "actively working to adjust this behavior in IE," Hachamovitch wrote, "There are similar capabilities available in other browsers" and that "the only reported active use of this behavior involves competitors to Spider.io providing analytics."

However, Spider.io took issue with that and replied: "It is important to clarify that other browsers do not leak mouse-cursor position outside of the browser window in the way that Internet Explorer does." Furthermore, the company's CEO Douglas de Jager told Jeremy Kirk "that it is a notable data leak and that Microsoft's accusation is an attack on his company. He said in an interview that at least one other ad analytics company was aware of the flaw but deliberately decided not to use it to gather display ad statistics."

Additionally, Spider.io wrote, "It has been suggested that exploitation of the vulnerability to compromise login details and other confidential information is 'theoretical', 'hard to imagine' and would require 'serving an ad to a site that asks for a logon.' This is not the case. Ads do not need to be served to sites requiring login details. Ads need only to be served to some page which is open in Internet Explorer." The company said that if you are using Chrome for banking, but if IE is opened, even minimized, then you are at risk.

Spider.io disclosed the flaw to Microsoft in October 2012 and reported at that time, "Whilst the Microsoft Security Research Center has acknowledged the vulnerability in Internet Explorer, they have also stated that there are no immediate plans to patch this vulnerability in existing versions of the browser."

Like this? Here's more posts:

Follow me on Twitter @PrivacyFanatic