Internet Explorer rats out the mouse - Update

Company Spider.io warns that Internet Explorer allows a user's mouse position to be determined – even if the mouse cursor is located outside of the browser window or the browser window isn't being displayed at all either because it is minimised or the user has switched to view another tab or window. This is potentially dangerous because it enables web pages to intercept sensitive data that is being entered via virtual keyboards and virtual keypads, say the researchers.

The mouse coordinates are read via JavaScript code that is executed in the background using regular (fireEvent()) events; the events also expose the state of the Alt, Ctrl and Shift keys. According to Spider.io, this is possible in IE versions 6 to 10. The company says that it reported the vulnerability to Microsoft in early October.

On a demonstration page, Spider.io offers a video that shows the researchers intercepting a phone number which is being entered using Skype's virtual keypad. The company notes that this liberal handling of mouse data is already being exploited by at least two display ad analytics companies. However, Spider.io doesn't explain what exactly these companies do with the mouse cursor positions they establish.

Update 13-12-12 15:17 – Microsoft has now officially commented on the issue. In a statement to The H's associates at heise Security the company has said that it is investigating the issue but that, to date, there is no concrete evidence of targeted attacks or affected users. The company went on to say that it will provide further information as soon as it receives it and will be acting on it to protect its customers.

(djwm)