IE 6 to 10 are tracking the position of the mouse cursor Vulnerability, passwords, etc. Fear of being stolen

ByPaul.White

Internet Explorer 6 to 10 revealed that there is a vulnerability in tracking the mouse cursor position in versions. Once this tracking begins, tracking will continue even if IE's window is minimized, so if you use a service that uses the virtual keyboard or keypad to enter information, your password or credit card information will be stolen There is a fear that it will be.

Spider.io - Internet Explorer Data Leakage
http://spider.io/blog/2012/12/internet-explorer-data-leakage/


You can see what specific things are being done by looking at the following movie.

IE Cursor Exploit Demo - YouTube
http://www.youtube.com/watch?v=qxUa2VWnE8A


Data on which the left side is the keypad and the right side traces the movement of the mouse cursor.


As you push one phone number one by one, the movement is traced and you can see what number you are pushing through.


By pressing the call key at the end, you can see that you have finished entering the phone number. This case is for a phone number, but in the same way, even if you enter a password or credit card information, it will go through.


The link below is a demo page. There is nothing to do with Firefox or Chrome, but when you access with Internet Explorer, almost the same movement as your desktop will be reproduced on the site.

Challenge - spider.io
http://iedataleak.spider.io/demo


Although we are aware of this vulnerability at Microsoft's security research center, we are not planning to take measures as soon as possible.

However, it is possible for a malicious attacker to track the cursor simply by purchasing the advertisement space on the website and charging the code, and it is quite unnecessary to trace the entire display even if IE is minimized, even if IE is minimized. From the point of view of the user, it seems that there is no choice but to try to use IE as much as possible for the time being.

2012/12/14 14:35 Addendum

Microsoft responds to IE mouse tracking exploit claims
http://www.neowin.net/news/microsoft-responds-to-ie-mouse-tracking-exploit-claims

Microsoft reacted to Spider.io's point of sale. According to a spokesperson, "While investigating this issue, there are no reports from customers that there were active activities or adverse effects.When additional information can be provided, announce it on time and protect customers We will take measures to do it. "We showed that this vulnerability is not widespread around the world.