Microsoft’s Internet Explorer can track your mouse movements anywhere on the screen, even when minimized. And Microsoft, which was informed of the massive potential security hole over two months ago, has no plans to fix it. Which means that as you explore the web, the web can explore you right back.
And this vulnerability is already being exploited by two advertising companies.
Spider.io, the ad analytics company that can tell if your site visitors are real or dream of electric sheep, found the vulnerability months ago — and notified Microsoft on October 1. The security vulnerability allows any display ad on any site to access your mouse movements — you do not have to install anything, agree to anything, or even be visiting some of the seedier alleyways of the web:
“An attacker can get access to your mouse movements simply by buying a display ad slot on any webpage you visit,” Spider.io’s Nick Johnson posted on Seclists.org, a security-related bug-tracking site. “This is not restricted to lowbrow porn and file-sharing sites. Through today’s ad exchanges, any site from YouTube to the New York Times is a possible attack vector.”
The vulnerability in IE versions 6-10 allows hackers to see what your mouse is doing on-screen … which could include typing personal information such as credit card numbers and passwords into virtual on-screen keyboards, a particularly timely security hole in the era of Windows 8 and its emphasis on touch and on-screen interactions.
“Indeed, the vulnerability is already being exploited by at least two display ad analytics companies across billions of webpage impressions each month,” Johnson added to the bug report. “As long as the page with the exploitative advertiser’s ad stays open—even if you push the page to a background tab or, indeed, even if you minimize Internet Explorer—your mouse cursor can be tracked across your entire display.”
If you’re using IE on a PC and want to test this, Spider.io created a live demonstration which you can use to observer the vulnerability in action. The company also created a game, “Steal from IE Users,” in which Spider.io is challenging more technically-oriented users to decipher mouse tracks to uncover 12 credit card numbers, telephone numbers, passwords, and email addresses.
One thing that is not yet clear is whether the vulnerability affects just the PC version of Internet Explorer or tablet versions — as in Surface — which would be even more likely to use virtual keyboards. I have talked to Spider.io, and will update this post as the company releases any more information.
VentureBeat has contacted Microsoft for a statement or comment and will update this story as the companyresponds.