Researchers have discovered a security flaw in Internet Explorer (IE) that lets people remotely track user's mouse movements and three major online analytics companies are already exploiting this to see what we are doing online.
London-based analytics firm Spider.io discovered the flaw and reported the problem to Microsoft's Security Research Centre, which has said it has "no immediate plans" to patch the security hole in existing versions of IE. The security hole allows anyone exploiting it to track a users mouse movements, even when the IE window is minimised, letting them see what people are looking at online.
This security flaw is currently being exploited by three large online advertising companies which provide advertising analytics for billions of web page views every month. In an interview with the Guardian, Spider.io CEO Doug de Jager said:
"The vulnerability is being exploited rather mischievously by these companies to measure the viewability of display ads - arguably the hot topic in display advertising at the moment," de Jager told the Guardian. "Almost every US-based user of Internet Explorer will have their mouse cursor tracked via this exploit almost every day they browse the web."
However despite this, Microsoft isn't planning on issuing a patch any time soon: "We are currently investigating this issue, but to date there are no reports of active exploits or customers that have been adversely affected," Microsoft said in a statement, adding that it would take "appropriate action to protect our customers."
As this brief demonstration video shows, the flaw is used to monitor a user's activity on Internet Explorer even if the window is minimised or inactive. It can also track the movements and keystrokes of virtual keypads and virtual keyboards, which are commonly considered the best way to prevent hackers from tracking mouse movements.
The flaw was reported to Microsoft on 6 October, with Spider.io informing Microsoft that versions 6 to 10 of Internet Explorer are affected. But since Microsoft has no plans to respond, Spider.io has publicised the problem itself:
"This is not restricted to lowbrow porn and file-sharing sites. Through today's ad exchanges, any site from YouTube to the New York Times is a possible attack vector" reported the Spider.io blog on Tuesday, 11 December.
"A security vulnerability in Internet Explorer, versions 6-10, allows your mouse cursor to be tracked anywhere on the screen, even if the Internet Explorer window is inactive, unfocused or minimised," explains the blog post. "The vulnerability is notable because it compromises the security of virtual keyboards and virtual keypads.
"As a user of Internet Explorer, your mouse movements can be recorded by an attacker even if you are security conscious and you never install any untoward software. An attacker can get access to your mouse movements simply by buying a display ad slot on any webpage you visit."
To demonstrate how mouse movement tracking can be exploited, Spider.io has devised a flash game where the goal is to observe the movement of a cursor and decipher a message based on that. As of 13 December, the game's leaderboard was topped by a player that uncovered all 12 keyboard patterns in 25 minutes.