IE mouse tracking flaw allows sites to record cursor movements

By on December 12, 2012, 5:30 PM

Spider.io reported today that Microsoft has no "immediate plans" to fix the potential Internet Explorer vulnerability which allows any website operator (or advertiser, hacker etc...) to track a visitor's mouse cursor movements. Microsoft's security team has acknowledged the issue but it is unclear if it will ever be resolved.

It was a few months ago that Spider.io first uncovered the interesting Internet Explorer flaw (feature?). Most disturbingly though, the flaw isn't isolated to just the browser window: it extends beyond IE's viewport to anywhere on a user's screen -- it even continues to work while the browser window is minimized. This bug affects IE6, IE7, IE8, IE9 and yes -- you guessed it -- IE10.

Proponents of squashing this bug believe the flaw has obvious privacy implications, but also presents a security risk -- this is particularly for virtual keyboard and keypad users. Physically disabled and security-minded visitors who may use virtual keyboards as a way to preempt keyloggers should be the most concerned. For everyone else though, well... it's just creepy.

One thing that is not mentioned though -- and I'm very curious about this -- is whether or not the flaw extends to Windows touchscreen PCs and tablets. When a user touches an element within Internet Explorer on Windows 8 or RT, for example, can the location of those touches be recorded like the movements of a mouse? If so, this could be a huge security issue for Windows touchscreen users who rely upon an on-screen keyboard, potentially providing a way to expose their passwords and other sensitive information.

Here is Spider.io's demo which demonstrates the potential vulnerability for IE users. Any Surface (or Windows touchscreen) users out there care to give it a shot? Let us know what you find.




User Comments: 7

Got something to say? Post a comment
Chazz said:

Interesting. Curious, would the "hacker" know what's on your screen (outisde of IE)? Would they have to take screenshots of your computer to know what you're clicking? It seems this is more of a privacy issue if so. Regardless they need to fix this asap.

ikesmasher said:

Thats why you dont use IE. I dont care how much "better" it is than before, there are better options and microsoft is continuing to neglect huge issues.

Trillionsin Trillionsin said:

I dont care if they know where my mouse is or clicking... what I do care about is when it's in relation to what's on my screen. I kinda skimmed the article, and maybe a missed a detail... but sounds like no big deal.

FF222 said:

Thats why you dont use IE. I dont care how much "better" it is than before, there are better options and microsoft is continuing to neglect huge issues.

Yeah, right. Both Chrome and Firefox have dozens of vulnerabilities discovered every month in them (all of them which allow you also to monitor mouse coordinates, and much more), but you don't use IE, because a web page opened in it can query the coordinates of the mouse - which by itself has no privacy implications whatsoever. Makes sense.

Guest said:

Ha ha, silly they are. Even a big company like tinysoft can't escape the bug pandemic. Seem their updates are the work of little children or people that work for their daily 10 grains of rice.

Keep up the good work!

Guest said:

Does having an SSL connection to (for example) your bank mitigate this risk?

ikesmasher said:

Yeah, right. Both Chrome and Firefox have dozens of vulnerabilities discovered every month in them (all of them which allow you also to monitor mouse coordinates, and much more), but you don't use IE, because a web page opened in it can query the coordinates of the mouse - which by itself has no privacy implications whatsoever. Makes sense.

cause firefox and chrome are the only "better" alternatives, right? kk.

I wasnt talking about this one in particular. I dont care how small the privacy threat is, make some sort of attempt fix it.

Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.