IE mouse tracking claims may have had alternative motives

A few days ago, Spider.io made a rather bold claim that Internet Explorer had a mouse tracking exploit that Microsoft refused to fix. Since then, Microsoft quickly responded by refuting the claims and has now also penned a much longer post on its IE blog at MSDN.

Dean Hachamovitch, corporate vice president for Microsoft's Internet Explorer team, took to the site to state that Microsoft is “actively working to adjust this behavior in IE.” Dean further states that, from what they know, this “has more to do with competition between analytics companies than consumer safety or privacy.”

In the post, Dean also points out that the only folks using this exploit are competitors to Spider.io and, from what we gather, Spider.io might be looking to harm its competitors services by crying wolf at the mouse tracking exploit.

It’s quite simple really: Spider.io has competitors that are using a mouse tracking technique that they do not utilize, so why not make a bunch of noise about the issue in hopes that Microsoft closes the hole and effectively harms your competitors at the same time? It’s a win-win for Spider.io as they appear to be the good guys in reporting the issue and they get to hurt how their competitors operate.

Whatever the reason behind Spider.io’s motive, Microsoft is responding and is actively working to fix this issue.

Source: Microsoft

Report a problem with article
Previous Story

Microsoft sticking with default "Do Not Track" setting for IE10

Next Story

New Windows Division head discusses why Windows interface was overhauled, more

13 Comments

Commenting is disabled on this article.

Nice how initially they didn't seem to care about, but once the bad press started rolling in, suddenly they are “actively working to adjust this behavior in IE.”

Also, it doesn't matter WHAT Spider.io's motives were, the FACT is that IE allows for exploitable mouse tracking which is a serious issue. Spinning it to paint Spider.io as some sort of bad guy here is just that, spin.

What they should have done is said from the moment it was pointed out to them is "Thank you" and then feverishly worked to patch it, and not wait until some Patch Tuesday in the future, but instead patch it, and release the patch as soon as it is ready, as that would be the responsible thing to do.

Exploitable? It allows a website to see the mouse co-ordinates. It doesn't allow it to see what the mouse is actually pointing at. How exactly can someone exploit that?

Not to mention that every other browser has the same "exploitable" feature that IE does. When it comes to security and patch releases, Microsoft does it better than any other software developer out there and that's a fact. If they thought this was an issue they would have started working on a patch as soon as they found out about it (they've done it countless number of times in the past). But the only reason this is news is so some random site that nobody has ever heard of wants some hits and free press.

aboogabooga said,
Exploitable? It allows a website to see the mouse co-ordinates. It doesn't allow it to see what the mouse is actually pointing at. How exactly can someone exploit that?

Not to mention that every other browser has the same "exploitable" feature that IE does. When it comes to security and patch releases, Microsoft does it better than any other software developer out there and that's a fact. If they thought this was an issue they would have started working on a patch as soon as they found out about it (they've done it countless number of times in the past). But the only reason this is news is so some random site that nobody has ever heard of wants some hits and free press.

Except that it doesn't work with other browsers. Go ahead, try it for yourself. They have a demo site set up.

Also, many banking websites now require to to click in your pin instead of typing it in. If the pattern of movements can be tracked, it would become trivial to figure out the actual pin as the potential combinations would be limited based on the pattern.

And besides, just because YOU can't come up with an exploit doesn't mean that other people can't. And please, give me a break with the "Microsoft does it better than any other software developer out there and that's a fact." garbage. MS has probably the worst track record in the industry for security.

Except that it doesn't work with other browsers. Go ahead, try it for yourself. They have a demo site set up.

Um yes it does. I don't care what demo site spider.io sets up.

http://stackoverflow.com/quest...script-track-mouse-position

Also, many banking websites now require to to click in your pin instead of typing it in. If the pattern of movements can be tracked, it would become trivial to figure out the actual pin as the potential combinations would be limited based on the pattern.

What bank do you use that requires you to enter a pin by clicking? Most banks use passwords or passwords and a single-use PIN that change constantly (BoFA, Chase, HSBC, Schwab, OFCU, PNC etc). I've yet to see a single bank site that has a single neverchaging pin to login to your account, that's just moronically stupid.

And please, give me a break with the "Microsoft does it better than any other software developer out there and that's a fact." garbage. MS has probably the worst track record in the industry for security.

Do they? This isn't XP anymore, back then I would have agreed with you but pretty much since Vista MS has made security a priority. They release security patches FASTER on average than any other software developer, and that is a fact.

Their products are used by something like 1-1.5 billion people, guess what people are going to want to target Windows / Office. Look how much malware targets Android, but wait it's linux isn't it? It should be non-hackable. Popular software is always going to get heavily targeted, it's just the way it is.

kenboldt said,
They have a demo site set up.

Been there, nothing to see. The amount of unknowns they are purporting are known by the attacker is immense to say the least. Their skype call example means you know it's a skype call or a phone number.

kenboldt said,
Also, many banking websites now require to to click in your pin instead of typing it in. If the pattern of movements can be tracked, it would become trivial to figure out the actual pin as the potential combinations would be limited based on the pattern.

Again, a huge amount of uknowns. First off, most banking sites don't have adverts on their page. So, you're hoping the exploiter can a) gleem password combination based off of the click pattern which is low to being with then b) the advertiser then has to decide exactly what web page you were on using that pin. You do realize this is like actively expecting a meteorite is going to hit you when you step out of your front door every morning.

kenboldt said,
And besides, just because YOU can't come up with an exploit doesn't mean that other people can't.

Lets talk about about something lost among so many these days. It's the difference between probability and possibility. Certainly, given enough time someone *could* find a way to exploit this, like so many other browser features. However, the likelihood is so small people are better off making sure a toilet isn't falling from a failing satellite when they are walking down the sidewalk.

aboogabooga said,

stuff

Gah, I had a big long reply typed, clicked close on the wrong tab, lost it all. stupid itchy trigger finger

Whatever. Anyway, the main point is, it IS an exploitable flaw, and should be patched, not just when bad press is released, and it shouldn't wait until some scheduled Tuesday.

Flaw identified --> patch made and tested --> patch released

That should be how it work. For everyone. Not just Microsoft. Everyone. Spin is just spin. I have far more respect for people and companies when they can admit mistakes and work to correct them rather than performing any sort of blame game or spin to prevent the bad press.

Oh, and just to get a little jab in here, I always laugh when people bring up the whole idea of Windows is used by so many people and that's why it is a target. I always ask them to use the interwebs and the googles to have a look at how many Linux servers are running the web as we know it and how much traffic they see each and every day, but Linux is a small target right. This very website we are on right now runs on an Apache server.

I also wanted to make it clear, since tone of voice is difficult to portray sometimes in text, that this is all meant with a very friendly tone. I'm just having a friendly debate here and none of my posts should be read with any sort of angry or hostile tone.

Cheers

MrHumpty said,
Again, a huge amount of uknowns. First off, most banking sites don't have adverts on their page. So, you're hoping the exploiter can a) gleem password combination based off of the click pattern which is low to being with then b) the advertiser then has to decide exactly what web page you were on using that pin. You do realize this is like actively expecting a meteorite is going to hit you when you step out of your front door every morning.

You've heard of a phishing attack before right? A phishing site with a keylogger and this exploit in tandem would give an attacker all the info they would need to get into someone's bank account.

MrHumpty said,
Lets talk about about something lost among so many these days. It's the difference between probability and possibility. Certainly, given enough time someone *could* find a way to exploit this, like so many other browser features. However, the likelihood is so small people are better off making sure a toilet isn't falling from a failing satellite when they are walking down the sidewalk.

YOU think that the likelihood is small. Attackers jump through much larger hoops to get information that is no where near as valuable as this. It is a flaw that can give an attacker valuable information and has been demonstrated to work. Do you honestly believe that attackers that run scams for a living are going to sit back and say, you know what, let's pass on this one.

Like I said before, the whole point is that this is a demonstrated flaw. Just patch it, test your patch, and release it. Forget the spin. Forget the blame game. Just patch it and don't wait for some scheduled Tuesday to do it. Do it now.

kenboldt said,

You've heard of a phishing attack before right? A phishing site with a keylogger and this exploit in tandem would give an attacker all the info they would need to get into someone's bank account.

Just so we're clear, someone who's successfully loaded a keylogger payload on a machine would waste their time hoping to have a page loaded... in IE... to use in tandum with their keylogger to see a pin number clicked?

Are you seriously that desperate to make this into a big deal? If I have a keylogger on a system I already have access to ScreenShots, mouse movements, browser history, etc. etc. My god man. Why would they engineer such an unreliable and convoluted setup when it could all be handled so easily?

kenboldt said,
It is a flaw that can give an attacker valuable information and has been demonstrated to work.

Seriously. valuable? Again, like I said, even if you had an idea what the pin combination was... how in gods green earth are you going to know which website it was for? It's almost comical how you're building a buggyman here.

Oh, and just to get a little jab in here, I always laugh when people bring up the whole idea of Windows is used by so many people and that's why it is a target. I always ask them to use the interwebs and the googles to have a look at how many Linux servers are running the web as we know it and how much traffic they see each and every day, but Linux is a small target right. This very website we are on right now runs on an Apache serve

The most direct / popular way of getting malware onto a computer is getting the user to download a file. I highly highly doubt an admin of a linux server / datacenter will be downloading freeporn.deb. Also people who hack websites often have to use specially targeted attacks if they want to get anything (and that's happened plenty of times this past year), for desktop stuff you don't have to since most people aren't security conscious or good with tech.

So it can track it even when the mouse cursor is not over the webpage?

I take it this is normal JavaScript? what property is used? clientX? How does this track it outside of the window object?

It's a cross-site scripting (XSS) security issue. One site can get information about the mouse cursor location when the mouse cursor is located in another site. That's the security flaw.

Mouse location should not be available in the XSS case. ESPECIALLY if all windows are minimized and there is no focused website.

Could be used for getting bank details. Have a malicious site load a banking site in a frame. The malicious site knows the location of all the elements on the banking site (because the author of said malicious site gathered that data from the banking site by hand), wait until the mouse cursor is in the password field's location. Switch focus to the malicious site when the mouse pauses, password gets entered into malicious site….