IE vulnerability lets in mouse tracking

By on
IE vulnerability lets in mouse tracking

A website analytics firms has discovered a security vulnerability in all current versions of Internet Explorer that allows attackers to trace mouse cursors anywhere on users' screens., which reported the vulnerability, said the tracking can be done even if the Internet Explorer browser window is minimised.

The vulnerability can be exploited to capture virtual or screen keyboard input, said.

Such input methods are typically used to reduce the risk of keylogger malware recording keystrokes on physical keyboards.

Virtual keyboards are also used by disabled people, and when there is no physical keyboard present.

Security vendor Kaspersky Lab uses a virtual keyboard as part of its Anti-Virus 2013 product to avoid interception of data. 

User names, passwords and credit card details can be captured through the exploit, according to 

Two unnamed display ad analytics companies already exploit the vulnerability, "across billions of page impressions a month," said.

The company said that no software needs to be installed on victims' computers and the tracking is done entirely through Javascript embedded in webpages.

Thanks to Internet Explorer's event model populating the global Event object with mouse event attributes, and the ability to trigger events manually through the fireEvent() method, attackers can easily work out where on the screen the mouse cursor is placed.

This is irrespective of the tab or window containing the tracking Javascript being inactive or not in focus, or minimised. Several mouse and keyboard status properties can be read this way by attackers. has set up a demo page to show how the data leakage vulnerability works.

Other browsers such as Chrome, Opera and Firefox are not vulnerable to the exploit.

Microsoft's Security Research Centre has been notified by and acknowledged the vulnerability in Internet Explorer.

However, according, the MSRC said "there are no immediate plans to patch this vulnerability in existing versions of the browser."

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © . All rights reserved.

Most Read Articles

Log In

  |  Forgot your password?