IE Flaw Lets Sites Track Your Mouse Cursor, Even When You Aren't Browsing 149
An anonymous reader writes "A new Internet Explorer vulnerability has been discovered that allows an attacker to track your mouse cursor anywhere on the screen, even if the browser isn't being actively used. 'Whilst the Microsoft Security Research Center has acknowledged the vulnerability in Internet Explorer, they have also stated that there are no immediate plans to patch this vulnerability in existing versions of the browser. It is important for users of Internet Explorer to be made aware of this vulnerability and its implications. The vulnerability is already being exploited by at least two display ad analytics companies across billions of page impressions per month.' All supported versions of Microsoft's browser are reportedly affected: IE6, IE7, IE8, IE9, and IE10."
Some of these IE bugs are things of beauty. (Score:5, Funny)
Re:Some of these IE bugs are things of beauty. (Score:4, Funny)
Re: (Score:3)
Re:Some of these IE bugs are things of beauty. (Score:5, Funny)
Re: (Score:2)
Re: (Score:2)
Re:Some of these IE bugs are things of beauty. (Score:5, Informative)
More plausibly, this can be used to determine how quickly someone reaches for the top-right corner to kill an advertisement, or if they start to and then suddenly stop because they got distracted by something in the pop-up.
...based on the content of which, you can then predict attitudes, political orientation, sexual orientation, and how many pets someone owns. The r squared of the correlation is nearly 0.05 making it extremely interesting to analytic companies. There is a database somewhere of literally years of mouse movement records that demonstrate changes in religion, politics, and mean income. We're talking about a new marketing paradigm for the 21st century advertiser.
Re: (Score:2)
It would be a pretty good way to "fingerprint" someone whose browser is otherwise rejecting cookies and who is behind NAT with other users.
Re: (Score:2)
Re: (Score:2)
Re:Some of these IE bugs are things of beauty. (Score:5, Insightful)
Seriously, I can't see why anybody else would care, mouse coordinates are not useful data for anything. The fact that they have "detector" exposed... somebody needs to stop working in development for that one.
It is useful data if the user is using a virtual keyboard on a touch-device.
Re:Some of these IE bugs are things of beauty. (Score:5, Insightful)
Or those virtual keyboards some banks force you to use to avoid keyloggers.
Re: (Score:2)
Well, that pretty much solves the problem, doesn't it?
Re: (Score:2)
It does solve the problem for everybody. Except for those 12 people that brought Surfaces.
Re: (Score:2)
What, the Surface doesn't run Linux yet?
Re:Some of these IE bugs are things of beauty. (Score:5, Interesting)
Re:Some of these IE bugs are things of beauty. (Score:5, Informative)
Seriously, I can't see why anybody else would care, mouse coordinates are not useful data for anything.
From the original article: "A security vulnerability in Internet Explorer, versions 6â"10, allows your mouse cursor to be tracked anywhere on the screen, even if the Internet Explorer window is inactive, unfocused or minimised. The vulnerability is notable because it compromises the security of virtual keyboards and virtual keypads."
Re: (Score:2)
Re: (Score:2, Insightful)
Because it would be challenging, would BE the reason someone would write this exploit.
Re: (Score:3)
For a virtual keyboard that you'd be typing a password in to, there shouldn't be any issues with autocorrect. Just the series of movements would pretty quickly correlate to a low entropy password. Something stupid like 'Password1' would show up in a heatmap pretty easy.
Re: (Score:3)
Obvious issues are obvious because you are not thinking about simplifying the problem sufficiently to make it possible. Think about the complexity of an audio fingerprint to match a performer, song, and album, even with background noise and crappy microphone. But Shazam and Picard and others do it already.
Think about the patterns on a numeric keyboard - 9713 followed by 9856. They could show up as the same, due to differences in scale. But now you only need to try a few numeric passwords. There are 3 m
IE, a entomologist's dream application... (Score:2)
Seriously, I can't see why anybody else would care, mouse coordinates are not useful data for anything.
In and of themselves, you are right, they aren't a threat. But what other bugs are there in IE that this could be used in conjunction with?
I can think of one app right off the top of my head that this could be a big deal for. Doesn't the Putty ssh key generator app use mouse movements to seed the SSH key generation? If you knew that was running, and could track mouse movement, that would give you a lot of information that shouldn't be shared. I think a lot of git based stuff uses SSH keys for authentica
Re: (Score:2)
Re: (Score:3)
Re: (Score:2)
Re:Some of these IE bugs are things of beauty. (Score:5, Informative)
IngDirect (now Capital One) uses a virtual pinpad as the standard means of accessing your account.
789
456
123
You click on each digit of your PIN after entering (or pulling down from the history on registered computers) your customer number. You can not type them. You must click them.
Re: (Score:3)
IngDirect (now Capital One) uses a virtual pinpad as the standard means of accessing your account.
789
456
123
You click on each digit of your PIN after entering (or pulling down from the history on registered computers) your customer number. You can not type them. You must click them.
This is a security feature to prevent a keylogger from capturing your PIN. After all, what software would be stupid enough to pass your mouse coordinates and button presses to untrusted javascript?
Now suppose Evildude buys an ad that pops up when someone searches on IngDirect. Many people never type in the address bar. They use search to find the site they want to go to. Now you have your exploit and a pretty good correlation with the IngDirect site. Bingo.
Re: (Score:3)
Aion (the game) uses this in a smarter way - it randomizes the number placement in the virtual numpad.
Such measure would defeat attempting to use this vulnerability to get someone's clickable PIN.
Re: Seriously .. (Score:2)
Re: (Score:3)
What about systems with onscreen keyboards, such as those with touchscreens or accessibility features? If your keyboard is onscreen, then cursor location polling is basically the same as keylogging.
Re: (Score:2)
From what I recall of ING (internet banking) - they have (or had) a pin-type number pad where you enter a PIN to access your account using mouse clicks. You don't type it in. This was to defeat key loggers.
Re: (Score:2)
It allows for advanced Facebook integration with cutting edge cloud computing advertisers running the new touch-screen oriented Windows Server. This delivers high quality targeted rich media advertising to the world's most common platform.
Bingo, sir. [dilbert.com]
Re: (Score:2)
that's called 'bullshit bingo' now.
Re: (Score:3)
Re: (Score:2)
We need to start looking at them as performance art.
Historically, there's been nothing artistic about the performance of Internet Explorer, except perhaps in the wide and varied ways in which it catches fire. That said... someone really needed to have screwed the pooch to make this vulnerability possible; Windows by default won't dump mouse movement events into a window or control's message queue unless it's directly over it, and the x,y coordinates are usually relative not absolute (though one can make a dll call to get the absolute coordinates). But then,
Re: (Score:2)
There is some pretty good [youtube.com] artistic videos on internet exploder catching fire out there.
They had to screw up? (Score:2)
Good job (Score:1)
Surprised? (Score:1)
WTF? (Score:2)
Why would a program even have access to mouse activity that isn't occurring within its window?
Re: (Score:2)
There are legit programs such presenting your screen and you need to show where your mouse is, or even programs that will try to predict your next action ahead of time for faster performance. Or you just really like xeyes.
I admit it is a scary feature however there are actually legit uses for it too.
Re: (Score:2)
I can definitely see the use cases(if nothing else, the window manager needs to know where the mouse is to manage windows), it just seems like a strange thing to have available by default, especially for a browser, which can reasonably assume that it will spend its entire life handling malicious inputs.
Re: (Score:1)
Re: (Score:2, Troll)
> Why would a program even have access to mouse activity that isn't occurring within its window?
To properly implement xeyes, obviously.
PS: n00b! :->
PS2: I found this js version of xeyes [arc.id.au], you IE users should have eyes following you outside the browser windows, right? With my ff on linux they stop following outside the window.
Re: (Score:2)
Same here. Same monitor, different monitor, doesn't even work across windows.
Re: (Score:2)
Interesting, so the reported leak is towards the server not the other pages.
Re: (Score:2)
Probably their method of carrying tabs to and from active windows.
Exposing it to web pages is something quite weird to allow, though.
TightVNC use those hooks a lot (Score:2)
Well, TightVNC has a reasonable reason to do that, I'd bet all VNC servers and the Remote Desktop do that. Funny thing is that on Linux, TightVNC must create a new X-client for plugging into that kind of data, thus I think that X won't let you capture any click you want.
But then, how do X-eyes run?
SMH (Score:3)
IIRC, your standard message pump in Windows won't send mouse events to your window if you don't have focus. Which means they had to do something extra to make it happen. Not for, say, Magnifier, but for a mere web browser.
Craziness.
Re: (Score:1)
IIRC, your standard message pump in Windows won't send mouse events to your window if you don't have focus. Which means they had to do something extra to make it happen. Not for, say, Magnifier, but for a mere web browser.
Craziness.
Chrome (a mere web browser) receives mouse events when not in focus also. Just put another window on top of it and hover the mouse over the back button. You will see it's state change.
Re: (Score:2)
I can't reproduce this. Maybe it's a windows-only issue?
Re: (Score:2)
I can reproduce it with both Chrome and Firefox (give focus to another window, Firefox and Chrome still process hover events even when they're not the active window).
For the processing to happen, Chrome/Firefox do have to be the top window in z-order when the hovering happens, though (although they don't have to be active). They don't trigger hover events "through" an Aero glass border of another window.
Re: (Score:2)
Mouse events are not the only way to get mouse coordinates or button state - you can just directly ask the OS [microsoft.com] for the current state. The coordinates returned are relative to the screen, and can then be translated to window-relative coordinates. Sounds like IE is doing just that.
Re: (Score:2)
do you fix the bug and get sued by wordperfect for not documenting your calls (seriously) or not fix the bug and worry about everyone calling you an insecure (yet massively used) code house.
You document the calls in the first place, as a standard part of making a public API, rather than using inside knowledge to keep wordperfect's development slower and more expensive than your own. Then when you fix the bug later, you stay as true to that documentation as is possible, so there's no indication of ill will in any loss of compatibility.
you win some, you lose some in the software industry
Software development is a business, not a casino. There's enough risk in the market alone without betting on whether a judge will allow shady legal tactics.
Let me be the first to say... (Score:1)
...you've got to be fucking kidding me.
Because I am too lazy (Score:2)
to RFA, can someone explain exactly how this can be exploited by analytics companies with regards to ads?
If my browser is not active, and I have, say, an iTunes window open on top, then how will these analytic companies know the mouse is over a spot on iTunes that has an ad underneath in the browser window? Are ad companies making money by your mouse just moving over an area rather than clicking on it? I know there are those ad companies that have flash/html5 ads that do something nifty when you roll over
Re: (Score:2)
Here, I'll RTFA for you, hopefully you're not too lazy to read this reply :)
It's dangerous if you're using virtual keyboards, as they can then track where your mouse is and potentially work as a keylogger.
Re: (Score:2)
Right, I actually read that part after I did RTFA, but that doesn't answer the part in the OP, which was
"The vulnerability is already being exploited by at least two display ad analytics companies across billions of page impressions per month.'"
How does using a virtual keyboard have anything to do with this? Sure the amount of people using virtual keyboard is incredibly small, and the ads rolled over or visited by those folks are probably much smaller still.
Re: (Score:2)
It's only extremely small while Windows 8 + touch screens don't get more common
Re: (Score:2)
I could be wrong but I'd bet that mouse heat maps would line up with eye heat maps somewhat nicely. Not on any individual basis of course, but in the aggregate. If true, that would mean the information could be very helpful in identify what ads, images, paragraphs, design details, etc that people are looking at which would be a pretty useful piece of data if your profession is to get people to look at something.
Re: (Score:2)
All big browsers will let you collect mouse heatmaps. The problem is that IE will let you collect heatmaps of whatever is on the screen, not just your page.
Now, why would analytics companies care about heatmaps of anything besides their own sites?
Re: (Score:2)
Everyone seems focused on the potential for keylogging, but I see a lot of problems in trying to develop this exploit into a useful keylogger. It's not going to be easy and it's not going to be accurate, though that might change if the Windows surface products ever take off (though I do have to wonder if touch input in windows 8 would be vulnerable to this particular exploit).
I imagine how they are probably using the data is by collecting information from thousands of users on the same page, with the same
Picture password? (Score:2)
I haven't even touched a computer with Windows 8, so forgive my ignorance, but could this be used to capture someone's picture password strokes?
Re: (Score:2)
Yes
Re: (Score:2)
Bullshit... and least not the picture password for the local machine.
When you are entering your picture password, you are in special trusted process that _even_with_UAC_off_ is isolated from normal user process.
However, if you are remoting into another machine, it can capture anything you draw there...
Jorgie
Track my mouse? (Score:5, Funny)
Good. I always suspected the little bastard was up to something when I'm not around.
Can they do this for my car keys as well?
The Big Picture (Score:2)
You're not seeing the big picture. Mouse movement patterns can predict attitudes, political orientation, sexual orientation, and how many pets someone owns. The r squared of the correlation is nearly 0.05 making it extremely interesting to analytic companies. There is a database somewhere of literally years of mouse movement records that demonstrate changes in religion, politics, and mean income. We're talking about a new marketing paradigm for the 21st century advertiser.
I use IE5 (Score:2, Funny)
Vindication!
Which companies are exploiting this? (Score:2)
Good for the Spider guys to discover this problem. It would be more helpful if they named/shamed the companies that are exploiting this.
Anyone have this info?
Which ad analytics companies are using this? (Score:2)
Which ad analytics companies are using this? I read all the linked material and all I see is some lofty assertion that two companies are already using it. Name and shame them, would you please?
exploited for what? (Score:3)
I want this patched, but I'm very curious as to how this really compromises anything.
I can see how it can affect virtual keyboards. Who exactly is this market? People using IE and using Virtual keyboards for security reasons? Can we have a slashdot poll of virtual keyboards users and there favorite browser.
It says these ad sites are using the data. What exactly does this give them...maybe the fact that I click the start button at 10:01 A.M. every day? Otherwise it is just random X,Y coords without knowing what app has focus.
Re: (Score:2)
Well. Say I'm hawking advertisements. I know where your mouse pointer is. I know you're about to close my ad. So, I move the ad to somewhere else on the screen. I can see how it can be used for nuisance value.
That's so 2001. They've made js that causes the ad to run away from the mouse for some time. Then I found the person who invented that code and shot him.
Whats more interesting to advertisers and website owners is where you're keeping your mouse. Most of these things can be tracked by any browser when your mouse stays inside the window. This is just giving 'more' information then they had before. Do people tend to keep the website open while doing other things? Before when the mouse moved out, it was just go
Pointer Lock API (Score:2)
Re: (Score:2)
I belive this only provides mouse movement data while the window hace focus.
They just can't get anything right... (Score:2)
Microsoft headed off to a good start by enabling the joke that is the DNT header by default. And now... the same kind of ridiculously bad exploits that Internet Explorer has been known for since its beginning re-emerge like a bad case of the varicella zoster virus and shit all over it.
Solution that tells attackers to F* off (Score:2)
Exploit for gesture lock? (Score:2)
A crypto backdoor? (Score:2)
A bit like the telco software that sits on a phone and tracked every key press when enabled.
Where is the 'leet FBI squad (Score:3)
According to TFA, at least two ad companies are exploiting this vulnerability to spy on users now. Where is the FBI raid?
Whoa whoa, now... get it right... (Score:3)
Re: (Score:2)
Re: (Score:2)
I don't even think Steve Jobs was Steve Jobs, honestly.
His liver certainly wasn't. (Too soon?)
Really? Why Doesn't the Demo Work in FF Then? (Score:5, Informative)
Conversely this just sounds like Microsoft being bit in the ass by giving their browser special privileges to native OS libs and dlls.
Re:Really? Why Doesn't the Demo Work in FF Then? (Score:4, Informative)
Nothing happens in Chrome either. In IE it works. I did notice that is only tracks while the mouse cursor is on the same monitor as the IE window.
Re: (Score:3)
Good to know. Now all I have to do is have my IE window open on the monitor I just setup for IE (and nothing else) :-D Problem solved.
Re: (Score:2)
It's also extremely inaccurate. The picture shows the mouse pointing well off of the IE window when I was pointing it at the address bar.
Re: (Score:2)
More correctly the demo shows the position on the monitor it was initialised in: I dragged IE to an adjacent monitor - the window representation moved out of the viewport as I did it - and I noted how it knew Ctrl Alt and Shift were pressed when it didn't even have focus.
Re: (Score:2)
Which version of IE? I know they said it works in IE10 but I'm not seeing anything moving on the demo.
Re: (Score:2)
Sorry for the self reply. Just ran it in IE9 and it works. Not IE10 though.
Re: (Score:2)
Well the exploit uses APIs that only work in IE, such as attachEvent, so it breaks in other browsers before it can even try the exploit.
I looked into how other browsers handle manually firing events and found this nice example [mozilla.org]. As you can see, you are REQUIRED to create your OWN event object, where the exploit depends on the browser creating and populating one.
Re: (Score:2)
Every browser will let you track clicks ON THE PAGE YOUR SCRIPT IS RUNNING. Only IE will let you track clicks on other pages, or in places completely outside the browser Window.
(By the way, can an application track clicks outside of its window on X?)
Re:How odd. (Score:2)
track your mouse cursor anywhere on the screen, even if the browser isn't being actively used.
I always have IE up due to the fact it's the only browser that works with my sign in/out webpage for work.
Even still, I don't see it working unless I pull it up actively in IE.
Re: (Score:2)
Re: (Score:2)
Re: (Score:3)
Re: (Score:2)
How do you type on a tablet, or if you do not have use of your hands? That's right, an on screen keyboard.
Like having a built in keylogger do you?
Re: (Score:2)
On-screen keyboards, when used on touch or pen displays, don't have a "mouseX" or "mouseY". Right? Those variables would be filled-in only for the one click event being sent to the application receiving it, presumably when generating a "nothing" event they are blank.
So I don't see how this can be used to exploit it. Or maybe there's something I'm missing.
Re: (Score:2)
We need a back to the basics web standard that is long-term stable and only offers link interactivity. No hover, no conditional loading, no scripting, just pages linked to other pages.
This sounds like an interesting concept, but any attempt to actually implement it would descend into political morass. OK, no Javascript, that's pretty straightforward... but there are a million other arguments that would inevitably crop up. Should CSS be permitted, and if so, to what extent? (You already indicated you would
Re: (Score:2)
In theory this is a *feature* of IE and not a bug.
Then again this is why I use noscript and the EasyList + EasyPrivacy filter set
Re: (Score:3)
You are missing something here. Even with crappy feed back data you are reducing the password possibilities to a much smaller subset. Added to the fact that people choose terrible passwords you can easily reduce the search field from Billions and Billions to a few hundred or less.