Security flaws are inevitable in operating systems and applications. Modern software is incredibly complex, and even the best developers in the world aren’t perfect. How the public responds to security flaws largely depends on how the developer reacts to the exploit. If it responds quickly with a promise to patch the flaw, and then delivers the fix in a timely manner, all is forgiven most of the time.
Sadly, an exploit found in Internet Explorer that tracks mouse movement and certain key presses – even when IE is minimised, or the tab is in the background – isn’t getting patched by Microsoft.
A web analytics company alerted Microsoft to this quirk back in October. The security vulnerability affects all versions of Internet Explorer from version 6 through 10. While Microsoft has acknowledged the issue, it isn’t going to be patched in the near future.
This is a problem not only because of the obvious privacy concerns, but also in terms of security. Some people use software keyboards on their screen specifically to reduce the chance of their passwords being tracked by a keylogger. With this flaw, unscrupulous people could record the mouse movements used for entering a password just by having a web page loaded in the background. Microsoft even advocates the security benefits of using mice-based password systems with its picture password feature in Windows 8. Yikes.
In this demo, the possibilities for mapping cursor movement are shown quite clearly. The video below even shows how some simple analysis of mouse movements can be used to gather private information like passwords or phone numbers. Even scarier is the revelation that at least two ad analytics companies are already using this exploit to track users. If you weren’t freaked out about advertisers tracking you before, now is the time to think again. The site that revealed the flaw even has a challenge posted for people to try to decipher tracked mouse movements. The leader board shows that it takes less than half an hour for someone to figure out what has been typed on a software keyboard. It’s very scary stuff.
The methodology of exploiting this flaw to track cursor movements and modifier key presses is out in the wild, and any generic ad on any trustworthy website can use it to track what you’re doing.