IE lets websites track cursor movements

Microsoft has been campaigning to improve Internet Explorer’s public image—and it’s got a long road ahead if security oversights like this one keep popping up. According to Wired, a new exploit could allow malicious websites to track your mouse movements across the screen. All versions of IE from 6.0 on up are affected.

Don’t believe us? Just load up this harmless proof-of-concept demo in Microsoft’s browser. Or watch the video embedded below, which shows cursor movements being relayed even when they occur outside the browser:

The flaw was discovered by web analytics firm Spider.io, which reportedly alerted Microsoft back in October. Microsoft’s response was… less than encouraging. "The Microsoft Security Research Centre recognises that there is a vulnerability but has said that there are no immediate plans to patch it," according to Wired.

As Wired points out, the exploit could be used to gather online banking log-ins, since some banking sites use on-screen keypads in an attempt to thwart keyloggers. Simply tracking cursor movements may not be a huge help, of course—to do any real damage, you’d probably need other malware to relay what’s being displayed on the screen. Still, it would be nice if IE wasn’t a potential participant in that kind of thing. Here’s hoping Microsoft addresses the issue sooner rather than later.

Comments closed
    • rrr
    • 7 years ago

    Well, so much for the “IE10 is actually a great browser” argument…

    • Anarchist
    • 7 years ago

    another reason to use firefox with java-script disabled.

    • moog
    • 7 years ago

    Damn it TR!

    Why can’t you guys fix your script code – it’s been half a fuking yr that arrow keying around in this shatty abysmal comment box in IE9 doesn’t show the cursor! Tired of making spelling errors and correcting myself to only make mores spelling errors.

    This is IE 9.0.8112.16421

    • Ryhadar
    • 7 years ago

    K?…

    You could write your own piece in JavaScript that will track mouse movements that will work in any browser. IE does go a step further by being able to track the mouse movements outside the browser window (focus or not) but, so? The only way I could see this being remotely harmful is when you’re inside the browser window anyway which, as I pointed out, can already happen if harmful javascript is loaded on the page.

    I’m no champion of Internet Explorer but I agree with the MS Research Center on this one. Fixing this would be a waste of time.

      • Ryu Connor
      • 7 years ago

      It would be epically difficult to exploit this.

    • willmore
    • 7 years ago

    IE Sucks….more.

      • yogibbear
      • 7 years ago

      IE SUCKERPUNCH!!!!! #lolcats #7up #G@M3R

        • willmore
        • 7 years ago

        I’m not even sure what that means.

    • no51
    • 7 years ago

    If this was patched, how will it affect pointerpointer.com ?

      • sweatshopking
      • 7 years ago

      idk, site works fine in opera!

      • jonjonjon
      • 7 years ago

      i have to say that is the most pointless (pun intended) website i have ever gone to.

      [url<]http://www.quora.com/Web-Development/How-does-http-pointerpointer-com-work[/url<]

    • SnowboardingTobi
    • 7 years ago

    I thought this was already known? I’ve known about this “functionality” for years now as have a few other coworkers.

      • indeego
      • 7 years ago

      You heard it here first folks: SnowboardingTobi done funna schooled the security community.

    • albundy
    • 7 years ago

    this is great for those bank sites that have a selection of verification pictures that you have to click on to continue. Malware loves IE cus nobody does it better!

    • Sargent Duck
    • 7 years ago

    Although it is concerning, I think it’s pretty “useless” unless you actually use your mouse to enter pin numbers…which I have never seen before on a banking site…

      • oldog
      • 7 years ago

      I know ING does this as one part of login security on their website.

      • rrr
      • 7 years ago

      My both brothers do so. But they also use better browsers than IE.

    • I.S.T.
    • 7 years ago

    The fact that they did not patch this yet is one of the biggest examples of why I stopped using I.E. nearly a damned decade ago. I’m not even 30.

      • eitje
      • 7 years ago

      I think the correlation below is just as valid:

      [quote<]The fact that I'm not even 30 is one of the biggest examples of why I stopped using I.E. nearly a damned decade ago. they did not patch this yet.[/quote<]

    • brute
    • 7 years ago

    2012 is definitely the end of microsoft. this exploit just proves that microsoft messed up with windows 8 and they are done as a company.

    plus i bet they will send all the mouse movements to the government and for free because they are an evil corporation

    signed,
    rusty shackleford

      • axeman
      • 7 years ago

      not sure if serious or being sarcastic/trolling

        • superjawes
        • 7 years ago

        Same…I don’t know whether to +1 or -1.

        #FirstWorldProblems

          • MadManOriginal
          • 7 years ago

          You might not be sure about his post, but for yours the decision is easy!

        • Sahrin
        • 7 years ago

        Not sure if never seen King of the Hill or being sarcastic/trolling.

      • adampk17
      • 7 years ago

      Deleted. Feeding the troll.

      • tootercomputer
      • 7 years ago

      troll or not, that’s one of the funnier anti-MS rants I’ve ever read.

      ” they will send all the mouse movements to the government and for free because they are an evil corporation”

      That’s priceless.

        • ludi
        • 7 years ago

        It works even better if you can read it out loud in Dale’s voice.

      • StuG
      • 7 years ago

      Like the King of the Hill reference!

    • Arclight
    • 7 years ago

    I kinda agree with their Security Research Center, i mean this exploit it’s useless at best. Also who uses on-screen keypads by percentage of all Windows users?

      • Peldor
      • 7 years ago

      It’s not useless but it does have to be paired with snooping of people using specific websites. All in all, it does seem like a lot of work compared to the easy success of sending 50 million people:

      “Hi this is yuor bank. We have freezing of your money for improper acccess. Clisk here to confirm your pass word, and accounting number for great security and money.

      Much sincerely,
      Frank NGO’ta
      Senor Security Bank Manager”

      • NeelyCam
      • 7 years ago

      But, but.. it’s the [i<]government tracking you!![/i<]

      • indeego
      • 7 years ago

      Targeted attacks are common.
      It’s not useless given this very example above.
      This will be patched within 2 months, I guarantee it. (which is very fast for Microsoft Marketing.)

        • Vulk
        • 7 years ago

        They were made aware of it 2 months ago. What gives you this apparently unwarranted optimism?

          • indeego
          • 7 years ago

          Press coverage. Microsoft doesn’t do jack shizznizzle unless they are impacted by it in the market. It’s a key distinction between them and Goog.

          Well, Google never did anything about the Gaia breach to the best of our knowledge. Carry on!

Pin It on Pinterest

Share This