The vulnerability, discovered by Spider.io and reported to Microsoft, affects IE versions six through 10. The disturbing thing is that nefarious types can gain access to a victim’s cursor movements without a shred of social engineering – a user doesn’t have to install a piece of malware. Criminals can simply buy a display ad slot on any webpage in order to perform the hack. And, in fact, the company found that the vulnerability is already being exploited by at least two display ad analytics companies across billions of webpage impressions each month.
“This is not restricted to lowbrow porn and file-sharing sites,” explained Spider.IO researcher Nick Johnson. “Through today’s ad exchanges, any site from YouTube to the New York Times is a possible attack vector.”
He added, “As long as the page with the exploitative advertiser’s ad stays open—even if you push the page to a background tab or, indeed, even if you minimize Internet Explorer—your mouse cursor can be tracked across your entire display.”
The way it works is this: IE’s event model logs attributes relating to mouse events. When combined with the ability to trigger events manually using the fireEvent() method, researchers explained, JavaScript in any webpage or iframe can poll for the position of the mouse cursor anywhere on the screen and at any time. The fireEvent() method also exposes the status of the control, shift and alt keys.
The upshot is that hackers can monitor certain positions of the cursor on the screen and can tell, from typical screen positions for, say, well-known online banking or travel booking sites, when a credit card number or password is entered – and they can log that. Spider.io found that it’s possible to decipher cursor tracks for 12 credit card number, passwords, email addresses and other credentials.
Spider.io said that the Microsoft Security Research Center has acknowledged the vulnerability in Internet Explorer, but said that that there are no immediate plans to patch this vulnerability in existing versions of the browser.
So, Spider.io, in an effort to educate users in the meantime, have created a game, “Steal from IE Users,” to illustrate how easily this security vulnerability in Internet Explorer may be exploited to compromise the security of virtual keyboards and virtual keypads. It’s especially timely given the rise of touchscreen tablets and the Windows 8 operating system, which touch-enables some laptops as well.