IE mouse-tracking flaw allows anyone to steal passwords

 

Gallery

By Stewart Mitchell

Posted on 13 Dec 2012 at 10:32

Security experts have revealed a flaw in Internet Explorer – versions 6 to 10 – than means attackers could trace mouse movements.

According to analytics company Spider.io, the vulnerability is a significant threat because it allows malicious parties to read entries entered via on-screen keyboards and keypads.

Virtual keypads are used as a security measure when signing into services such as online banking in a bid to thwart keystroke logging attacks.

According to Spider.io, the attack requires no serious hacking tools, nor for the browser to download any malware, because it can be employed via online ads.

The vulnerability is already being exploited by at least two display ad analytics companies across billions of page impressions per month

"An attacker can get access to your mouse movements simply by buying a display ad slot on any webpage you visit - this is not restricted to low-brow porn and file-sharing sites," the company warned.

"Through today’s ad exchanges, any site from YouTube to the New York Times is a possible attack vector. Indeed, the vulnerability is already being exploited by at least two display ad analytics companies."

Spider, which has developed a demonstration game to highlight the issue, said the problem revolves around the way IE's event model allows JavaScript in any webpage - or in any iframe within any webpage - to poll for the position of the mouse cursor anywhere on the screen and at any time.

Spider.io notified Microsoft of the flaw in October, but it isn't planning to immediately fix the problem, which is why the analytics firm has taken it public.

"It is important for users of Internet Explorer to be made aware of this vulnerability and its implications - the vulnerability is already being exploited by at least two display ad analytics companies across billions of page impressions per month," Spider.io said in a blog post