There’s a new security flaw in Internet Explorer that allows outside sources to track your mouse cursor, even when your browser is not in use. From IE6 to IE10, the flaw affects every supported version of Internet Explorer.
The issue was first discovered a few months ago by Spider.io, an ad analytics company whose job is to make sure your site visitors are real people, not spam bots. Spider.io actually pointed out the flaw to Microsoft on October 1. According to the company, Microsoft’s Security Research Center said it knew of the security flaw, but had “no immediate plans” to fix it in current, supported, versions of the browser. Since Microsoft has refused to do anything about the flaw, Spider.io decided to go public with the security issue last night, saying how it is “important for users of IE to be made aware of this vulnerability and its implications.”
This security hole could have large ramifications for the average user. Meant to combat keylogger programs from copying everything you type (including sensitive data, such as credit card number, social security numbers, and passwords), many users have started using virtual keyboards and keypads. But now, malicious hackers have the ability to see where your mouse moves on a virtual keyboard and can copy your sensitive information.
Even more worrisome is that your activity on IE can be recorded even if you’re not currently using IE. According to The Next Web, people looking for your information can just buy an advertisement on a website you visit frequently. As long as that webpage is open, even if you’re not using it (if the browser is minimized in the background, or you’re using another tab), your movements can be tracked.
In fact, Spider.io said that the security breach is already being utilized by advertisers. Though they didn’t list any names, the flaw is being used by at least two ad analytic companies “across billions of page impressions per month.”
Of course, you can say that you have nothing to worry about since in order for the flaw to be exploited by potential attackers, they would need to find out what websites you visit. But, since the flaw is already being exploited for the gains of advertisers, this probably isn’t too difficult. Spider.io’s Nick Johnson wrote that it doesn’t matter what kind of sites you visit, whether you go to shady file-sharing sites, or YouTube and The New York Times. Through ad exchanges, any website is a possible gateway for attackers.
Microsoft could not be reached for comment.