Security flaws are inevitable in operating systems and applications. Modern software is incredibly complex, and even the best developers in the world aren’t perfect. How the public responds to security flaws largely depends on how the developer reacts to the exploit. If it responds quickly with a promise to patch the flaw, and then delivers the fix in a timely manner, all is forgiven most of the time. Sadly, an exploit found in Internet Explorer that tracks mouse movement and certain key presses — even when IE is minimized, or the tab is in the background — isn’t getting patched by Microsoft.
A web analytics company alerted Microsoft to this quirk back in October. The security vulnerability affects all versions of Internet Explorer from version 6 through 10. While Microsoft has acknowledged the issue, it isn’t going to be patched in the near future. This is a problem, not only for the obvious privacy concerns, but also for security. Some people use software keyboards on their screen specifically to reduce the chance of their passwords being tracked by a keylogger. With this flaw, unscrupulous people could record the mouse movements used for entering a password just by having a web page loaded in the background. Microsoft even advocates the security benefits of using mice-based password systems with its picture password feature in Windows 8. Yikes.
In this demo, the possibilities for mapping cursor movement are shown quite clearly. The video below even shows how some simple analysis of mouse movements can be used to gather private information like passwords or phone numbers. Even scarier is the revelation that at least two ad analytics companies are already using this exploit to track users. If you weren’t freaked out about advertisers tracking you before, now is the time to think again. The site that revealed the flaw even has a challenge posted for people to try to decipher tracked mouse movements. The leader board shows that it takes less than half an hour for someone to figure out what was being typed on a software keyboard. It’s very scary stuff.
Now read: How to surf safely: From LastPass to tin foil hats, and everything in between
[Image Credit: Edith Soto]
Copyright © 2010 Ziff Davis Publishing Holdings Inc