Forgot your password?
typodupeerror
Internet Explorer Microsoft Security The Internet Technology

IE Flaw Lets Sites Track Your Mouse Cursor, Even When You Aren't Browsing 149

Posted by Soulskill
from the now-everybody-knows-your-goofy-little-mouse-movements dept.
An anonymous reader writes "A new Internet Explorer vulnerability has been discovered that allows an attacker to track your mouse cursor anywhere on the screen, even if the browser isn't being actively used. 'Whilst the Microsoft Security Research Center has acknowledged the vulnerability in Internet Explorer, they have also stated that there are no immediate plans to patch this vulnerability in existing versions of the browser. It is important for users of Internet Explorer to be made aware of this vulnerability and its implications. The vulnerability is already being exploited by at least two display ad analytics companies across billions of page impressions per month.' All supported versions of Microsoft's browser are reportedly affected: IE6, IE7, IE8, IE9, and IE10."
This discussion has been archived. No new comments can be posted.

IE Flaw Lets Sites Track Your Mouse Cursor, Even When You Aren't Browsing

Comments Filter:
  • by multicoregeneral (2618207) on Wednesday December 12, 2012 @03:44PM (#42264213) Homepage
    I think in general, we need to stop looking at them as bugs. We need to start looking at them as performance art.
    • by masternerdguy (2468142) on Wednesday December 12, 2012 @03:48PM (#42264285)
      This isn't a bug it's a feature! It allows for advanced Facebook integration with cutting edge cloud computing advertisers running the new touch-screen oriented Windows Server. This delivers high quality targeted rich media advertising to the world's most common platform.
      • by Synerg1y (2169962)
        Seriously, I can't see why anybody else would care, mouse coordinates are not useful data for anything. The fact that they have "detector" exposed... somebody needs to stop working in development for that one.
        • by Anonymous Coward on Wednesday December 12, 2012 @03:58PM (#42264425)
          You're not seeing the big picture. Mouse movement patterns can predict attitudes, political orientation, sexual orientation, and how many pets someone owns. The r squared of the correlation is nearly 0.05 making it extremely interesting to analytic companies. There is a database somewhere of literally years of mouse movement records that demonstrate changes in religion, politics, and mean income. We're talking about a new marketing paradigm for the 21st century advertiser.
          • Ah! So if the mouse cursor is constantly going to the bottom left, they are a conservative windows user. But if it goes to the top left, they are a wine-loving Ubuntu user?
          • by Samantha Wright (1324923) on Wednesday December 12, 2012 @05:09PM (#42265345) Homepage Journal

            More plausibly, this can be used to determine how quickly someone reaches for the top-right corner to kill an advertisement, or if they start to and then suddenly stop because they got distracted by something in the pop-up.

            ...based on the content of which, you can then predict attitudes, political orientation, sexual orientation, and how many pets someone owns. The r squared of the correlation is nearly 0.05 making it extremely interesting to analytic companies. There is a database somewhere of literally years of mouse movement records that demonstrate changes in religion, politics, and mean income. We're talking about a new marketing paradigm for the 21st century advertiser.

            • by AmiMoJo (196126) *

              It would be a pretty good way to "fingerprint" someone whose browser is otherwise rejecting cookies and who is behind NAT with other users.

              • Perhaps in a small population with many data points for each individual that's possible, but if you consider cookies a valid measure of uniqueness, you might as well use user agent + installed fonts as your unique token. In a larger data set the analysis of motions which are this complex would be either computationally prohibitive, or far too esoteric and subtle to have statistical confidence.
        • by mcl630 (1839996) on Wednesday December 12, 2012 @04:00PM (#42264463)

          Seriously, I can't see why anybody else would care, mouse coordinates are not useful data for anything. The fact that they have "detector" exposed... somebody needs to stop working in development for that one.

          It is useful data if the user is using a virtual keyboard on a touch-device.

        • by gmuslera (3436) on Wednesday December 12, 2012 @04:13PM (#42264649) Homepage Journal
          Wonder if touch input is counted as mouse coordinates. If so, is at the very least a keylogger.
        • by JDG1980 (2438906) on Wednesday December 12, 2012 @04:25PM (#42264797)

          Seriously, I can't see why anybody else would care, mouse coordinates are not useful data for anything.

          From the original article: "A security vulnerability in Internet Explorer, versions 6â"10, allows your mouse cursor to be tracked anywhere on the screen, even if the Internet Explorer window is inactive, unfocused or minimised. The vulnerability is notable because it compromises the security of virtual keyboards and virtual keypads."

          • by Synerg1y (2169962)
            It can... you'd have to write a reverse mouse coordinator to keyboard mapper type app, account for screen resolution, write an algorithm, or use a set of pretty red eyeballs to factor out all the typos, junk clicks, factor in for auto-correct on this types of keyboards and then maybe you'd have something. And these are obvious issues I can think of off the top of my head. Any volunteers?
            • Re: (Score:2, Insightful)

              by Anonymous Coward

              Because it would be challenging, would BE the reason someone would write this exploit.

            • For a virtual keyboard that you'd be typing a password in to, there shouldn't be any issues with autocorrect. Just the series of movements would pretty quickly correlate to a low entropy password. Something stupid like 'Password1' would show up in a heatmap pretty easy.

            • by b4dc0d3r (1268512)

              Obvious issues are obvious because you are not thinking about simplifying the problem sufficiently to make it possible. Think about the complexity of an audio fingerprint to match a performer, song, and album, even with background noise and crappy microphone. But Shazam and Picard and others do it already.

              Think about the patterns on a numeric keyboard - 9713 followed by 9856. They could show up as the same, due to differences in scale. But now you only need to try a few numeric passwords. There are 3 m

        • Seriously, I can't see why anybody else would care, mouse coordinates are not useful data for anything.

          In and of themselves, you are right, they aren't a threat. But what other bugs are there in IE that this could be used in conjunction with?

          I can think of one app right off the top of my head that this could be a big deal for. Doesn't the Putty ssh key generator app use mouse movements to seed the SSH key generation? If you knew that was running, and could track mouse movement, that would give you a lot of information that shouldn't be shared. I think a lot of git based stuff uses SSH keys for authentica

          • by Synerg1y (2169962)
            As long as they reversed the encryption formula in real-time... I don't think the ssh key generator uses the mouse as the only factor of the salt.
        • Several secure banking apps allow the user to click screen icons to spell out PINs and passwords.
          • by Synerg1y (2169962)
            On a website or atm? I can't think of any that let you use a built in on screen keyboard embedded into the website (req. for steady xyz tracking to grab a pin).
            • by mythosaz (572040) on Wednesday December 12, 2012 @04:53PM (#42265137)

              IngDirect (now Capital One) uses a virtual pinpad as the standard means of accessing your account.

              789
              456
              123

              You click on each digit of your PIN after entering (or pulling down from the history on registered computers) your customer number. You can not type them. You must click them.

              • by Smallpond (221300)

                IngDirect (now Capital One) uses a virtual pinpad as the standard means of accessing your account.

                789
                456
                123

                You click on each digit of your PIN after entering (or pulling down from the history on registered computers) your customer number. You can not type them. You must click them.

                This is a security feature to prevent a keylogger from capturing your PIN. After all, what software would be stupid enough to pass your mouse coordinates and button presses to untrusted javascript?

                Now suppose Evildude buys an ad that pops up when someone searches on IngDirect. Many people never type in the address bar. They use search to find the site they want to go to. Now you have your exploit and a pretty good correlation with the IngDirect site. Bingo.

              • by Luckyo (1726890)

                Aion (the game) uses this in a smarter way - it randomizes the number placement in the virtual numpad.

                Such measure would defeat attempting to use this vulnerability to get someone's clickable PIN.

        • "The IE vulnerability compromises the security of virtual keyboards and virtual keypads, which can be used to reduce the chance of a keylogger recording every keystroke to learn your credit card numbers, passwords, and other sensitive information .. If you don't use IE, here's a video demonstration of the vulnerability in action [thenextweb.com]":
        • by spazdor (902907)

          What about systems with onscreen keyboards, such as those with touchscreens or accessibility features? If your keyboard is onscreen, then cursor location polling is basically the same as keylogging.

        • by rworne (538610)

          From what I recall of ING (internet banking) - they have (or had) a pin-type number pad where you enter a PIN to access your account using mouse clicks. You don't type it in. This was to defeat key loggers.

      • by dkleinsc (563838)

        It allows for advanced Facebook integration with cutting edge cloud computing advertisers running the new touch-screen oriented Windows Server. This delivers high quality targeted rich media advertising to the world's most common platform.

        Bingo, sir. [dilbert.com]

      • by http (589131)
        Bingo, sir.
    • We need to start looking at them as performance art.

      Historically, there's been nothing artistic about the performance of Internet Explorer, except perhaps in the wide and varied ways in which it catches fire. That said... someone really needed to have screwed the pooch to make this vulnerability possible; Windows by default won't dump mouse movement events into a window or control's message queue unless it's directly over it, and the x,y coordinates are usually relative not absolute (though one can make a dll call to get the absolute coordinates). But then,

  • That I only use Opera then.....
  • This is IE we are talking about...
  • Why would a program even have access to mouse activity that isn't occurring within its window?

    • There are legit programs such presenting your screen and you need to show where your mouse is, or even programs that will try to predict your next action ahead of time for faster performance. Or you just really like xeyes.

      I admit it is a scary feature however there are actually legit uses for it too.

      • I can definitely see the use cases(if nothing else, the window manager needs to know where the mouse is to manage windows), it just seems like a strange thing to have available by default, especially for a browser, which can reasonably assume that it will spend its entire life handling malicious inputs.

    • by PPH (736903)
      Probably because IE is so tightly bound to Windows, everything is "its window".
    • Re: (Score:2, Troll)

      by marcello_dl (667940)

      > Why would a program even have access to mouse activity that isn't occurring within its window?

      To properly implement xeyes, obviously.

      PS: n00b! :->

      PS2: I found this js version of xeyes [arc.id.au], you IE users should have eyes following you outside the browser windows, right? With my ff on linux they stop following outside the window.

    • Probably their method of carrying tabs to and from active windows.

      Exposing it to web pages is something quite weird to allow, though.

    • Well, TightVNC has a reasonable reason to do that, I'd bet all VNC servers and the Remote Desktop do that. Funny thing is that on Linux, TightVNC must create a new X-client for plugging into that kind of data, thus I think that X won't let you capture any click you want.

      But then, how do X-eyes run?

  • by Applekid (993327) on Wednesday December 12, 2012 @03:48PM (#42264275)

    IIRC, your standard message pump in Windows won't send mouse events to your window if you don't have focus. Which means they had to do something extra to make it happen. Not for, say, Magnifier, but for a mere web browser.

    Craziness.

    • IIRC, your standard message pump in Windows won't send mouse events to your window if you don't have focus. Which means they had to do something extra to make it happen. Not for, say, Magnifier, but for a mere web browser.

      Craziness.

      Chrome (a mere web browser) receives mouse events when not in focus also. Just put another window on top of it and hover the mouse over the back button. You will see it's state change.

    • Mouse events are not the only way to get mouse coordinates or button state - you can just directly ask the OS [microsoft.com] for the current state. The coordinates returned are relative to the screen, and can then be translated to window-relative coordinates. Sounds like IE is doing just that.

  • ...you've got to be fucking kidding me.

  • to RFA, can someone explain exactly how this can be exploited by analytics companies with regards to ads?

    If my browser is not active, and I have, say, an iTunes window open on top, then how will these analytic companies know the mouse is over a spot on iTunes that has an ad underneath in the browser window? Are ad companies making money by your mouse just moving over an area rather than clicking on it? I know there are those ad companies that have flash/html5 ads that do something nifty when you roll over

    • by yorgasor (109984)

      Here, I'll RTFA for you, hopefully you're not too lazy to read this reply :)

      It's dangerous if you're using virtual keyboards, as they can then track where your mouse is and potentially work as a keylogger.

      • by xevioso (598654)

        Right, I actually read that part after I did RTFA, but that doesn't answer the part in the OP, which was
        "The vulnerability is already being exploited by at least two display ad analytics companies across billions of page impressions per month.'"

        How does using a virtual keyboard have anything to do with this? Sure the amount of people using virtual keyboard is incredibly small, and the ads rolled over or visited by those folks are probably much smaller still.

        • It's only extremely small while Windows 8 + touch screens don't get more common

        • I could be wrong but I'd bet that mouse heat maps would line up with eye heat maps somewhat nicely. Not on any individual basis of course, but in the aggregate. If true, that would mean the information could be very helpful in identify what ads, images, paragraphs, design details, etc that people are looking at which would be a pretty useful piece of data if your profession is to get people to look at something.

          • All big browsers will let you collect mouse heatmaps. The problem is that IE will let you collect heatmaps of whatever is on the screen, not just your page.

            Now, why would analytics companies care about heatmaps of anything besides their own sites?

      • Everyone seems focused on the potential for keylogging, but I see a lot of problems in trying to develop this exploit into a useful keylogger. It's not going to be easy and it's not going to be accurate, though that might change if the Windows surface products ever take off (though I do have to wonder if touch input in windows 8 would be vulnerable to this particular exploit).

        I imagine how they are probably using the data is by collecting information from thousands of users on the same page, with the same

  • I haven't even touched a computer with Windows 8, so forgive my ignorance, but could this be used to capture someone's picture password strokes?

    • by mcl630 (1839996)

      Yes

      • Bullshit... and least not the picture password for the local machine.

        When you are entering your picture password, you are in special trusted process that _even_with_UAC_off_ is isolated from normal user process.

        However, if you are remoting into another machine, it can capture anything you draw there...

        Jorgie

  • by PPH (736903) on Wednesday December 12, 2012 @04:04PM (#42264507)

    Good. I always suspected the little bastard was up to something when I'm not around.

    Can they do this for my car keys as well?

  • You're not seeing the big picture. Mouse movement patterns can predict attitudes, political orientation, sexual orientation, and how many pets someone owns. The r squared of the correlation is nearly 0.05 making it extremely interesting to analytic companies. There is a database somewhere of literally years of mouse movement records that demonstrate changes in religion, politics, and mean income. We're talking about a new marketing paradigm for the 21st century advertiser.

  • I use IE5 (Score:2, Funny)

    by Anonymous Coward

    All supported versions of Microsoft's browser are reportedly affected: IE6, IE7, IE8, IE9, and IE10.

    Vindication!

  • Good for the Spider guys to discover this problem. It would be more helpful if they named/shamed the companies that are exploiting this.

    Anyone have this info?

  • Which ad analytics companies are using this? I read all the linked material and all I see is some lofty assertion that two companies are already using it. Name and shame them, would you please?

  • by Twillerror (536681) on Wednesday December 12, 2012 @04:28PM (#42264843) Homepage Journal

    I want this patched, but I'm very curious as to how this really compromises anything.

    I can see how it can affect virtual keyboards. Who exactly is this market? People using IE and using Virtual keyboards for security reasons? Can we have a slashdot poll of virtual keyboards users and there favorite browser.

    It says these ad sites are using the data. What exactly does this give them...maybe the fact that I click the start button at 10:01 A.M. every day? Otherwise it is just random X,Y coords without knowing what app has focus.

  • Couldn't something similar be achieved using the Pointer Lock API [mozilla.org], as implemented by Firefox and Webkit browsers?
  • Microsoft headed off to a good start by enabling the joke that is the DNT header by default. And now... the same kind of ridiculously bad exploits that Internet Explorer has been known for since its beginning re-emerge like a bad case of the varicella zoster virus and shit all over it.

  • IE users can just draw a penis gesture with their mice.
  • Are the cursor coordinates available to IE while the screen is locked and you use mouse gestures to unlock it? Does this work with touch coordinates too? How does this affect the unlock feature of Windows 8 that I see demonstrated multiple times in commercials?
  • I wonder if this would help with on-screen keyboard users?
    A bit like the telco software that sits on a phone and tracked every key press when enabled.
  • by sjames (1099) on Wednesday December 12, 2012 @06:51PM (#42266547) Homepage

    According to TFA, at least two ad companies are exploiting this vulnerability to spy on users now. Where is the FBI raid?

  • by Chewbacon (797801) on Thursday December 13, 2012 @12:02AM (#42269173)
    ...it's not a bug, it's a feature. And you have to hold it upside down to get a clear signal.

"In matters of principle, stand like a rock; in matters of taste, swim with the current." -- Thomas Jefferson

Working...