Thursday, December 13, 2012

Internet Explorer 6-10 vulnerability lets hackers track your mouse movements

A vulnerability found in Microsoft's Internet Explorer allows hackers to track the movements of your mouse cursor across the screen, which could in turn reveal data entered on virtual keyboards.
Virtual keyboards and keypads can be used to reduce the chance of a keylogger recording every keystroke and therefore being able to "read" your passwords. However Spider.io discovered that Internet Explorer versions 6 to 10 make it possible for your mouse cursor to be tracked anywhere on screen, even if the IE tab is minimised. You can see a video demonstration of the vulnerability embedded in this post, or you can try it yourself at this link (provided you are browsing with IE).
This particular vulnerability is of concern, because if you use Internet Explorer your mouse movements can be recorded even if you never install any software. A hacker simply needs to buy a display advertising placement on any webpage you visit. As long as the tab with the ad remains open, mouse movements can be tracked.
The analytics company disclosed the vulnerability to Microsoft back in October, but has now gone public. The Microsoft Security Research Centre recognises that there is a vulnerability but has said that there are no immediate plans to patch it. Spider.io says that a number of web analytics companies are already making use of this ability to track cursor movements.
Spider's Douglas de Jager explained to Wired.co.uk that they discovered the issue when looking into ways to measure the position of advertisements on a web page. There are two ways to measure the "viewability" of display advertisements online -- i.e. to check whether the ad slots are placed in a prominent place on the website. (This is because some disreputable publishers have been known to place MPUs and other ad placements outside of the frame of the website so that -- for example -- a video might be playing on repeat out of sight, meaning that the advertiser is paying for views of their video when web users aren't actually able to see them.)
One involves a geometric approach, which compares the position of the four corners of the ad relative to the host webpage and comparing the position of the four corners of the browser's viewpoint relative to the host webpage. A variant of this approach is comparing the ad with the screen edge rather than the host page. This geometric approach doesn't work so well when ads are embedded in "unfriendly" or cross-domain iframes. A second approach involves monitoring browser optimisations: by monitoring how a browser allocates resources to render an ad, you can determine what proportion of the ad is in view -- this is the approach that Spider.io uses.
The Internet Explorer issue arose in the geometric approach that the browser takes, which involves showing the position of the cursor relative to the advertisement and relative to the screen edge -- allowing web analytics companies and potentially hackers to ascertain the cursor position at any point.
In order to glean any meaningful information from this attack, any hacker would need to know what website or application the user was using and the layout of the site. The site would also need to use an onscreen keypad or keyboard to enter sensitive information -- something that ING Direct's online banking service uses.

No comments: