Spider.io refutes Microsoft's claim about the IE mouse tracking exploit

Earlier today we posted Microsoft’s response to the Spider.io post pertaining to the mouse tracking exploit within Internet Explorer. In a nutshell, Microsoft refuted the claims stated by Spider.io but did say that they are actively working to fix the security hole.

Not to sit back and let Microsoft put-down their initial claim, Spider.io has responded to Microsoft’s assertions on the mouse tracking issue. Rather than summarizing the content, we have posted the meat of the response below that attempts to hit back at what Microsoft stated.

Two clarifications

There are two other points in Microsoft’s post which we believe are important to clarify.

Firstly, the post includes an ambiguous sentence: “There are similar capabilities available in other browsers.” It is important to clarify that other browsers do not leak mouse-cursor position outside of the browser window in the way that Internet Explorer does.

Secondly, it has been suggested that exploitation of the vulnerability to compromise login details and other confidential information is “theoretical”, “hard to imagine” and would require “serving an ad to a site that asks for a logon.” This is not the case. Ads do not need to be served to sites requiring login details. Ads need only to be served to some page which is open in Internet Explorer. The page with an embedded ad may be in a background tab. The page may be minimized. You may be using an entirely different application—potentially a different browser or some other desktop application—to log in. As has already been noted on Hacker News, if you were to log in at this banking website using any browser (perhaps using your Chrome browser, for the sake of argument), then you would be vulnerable to attack if you had another page open in Internet Explorer, even if Internet Explorer was minimized. There are many similarly vulnerable sites and applications. If there is any uncertainty about whether it would be possible to decipher mouse traces to determine confidential details typed in with a virtual keyboard, we suggest readers of this post try this deciphering challenge.

With the above being said, Spider.io is holding firm to their point. Additionally, to push back against the thought that they may be doing this to harm their competitors, Spider.io did state explicitly that they tried to vet this issue privately with Microsoft and took it public after their concerns were brushed over.

We don’t expect Microsoft to come out swinging against the above statement and expect the next time we hear about this issue will be when Microsoft delivers a patch to fix the flaw.

Source: Spider.io

Report a problem with article
Previous Story

Microsoft's Startup Weekend winner: A "death" sensor for houseplants

Next Story

Why can't Microsoft sell Xbox consoles and games in Japan?

28 Comments

View more comments

audioman said,
Yes, "what you don't know can't hurt you".

If that's true, when are we going to get a flurry of articles on neowin.net about the lack of sandboxing in FF and other browsers? Besides IE and Chrome, I don't think any of them have sandboxing. Seems much more pertinent if you're concerned about security.

audioman said,
Yes, "what you don't know can't hurt you".
Or what has an almost 0 chance of hurting me will most likely not hurt me.

J_R_G said,

If that's true, when are we going to get a flurry of articles on neowin.net about the lack of sandboxing in FF and other browsers? Besides IE and Chrome, I don't think any of them have sandboxing. Seems much more pertinent if you're concerned about security.

Chrome is sandboxed.

Wait a sec, doesn't the demo spider.io use, and the target they mention (bank web page virtual keyboard log in) require the web page to be open? So how would the fix they request (disabling mouse tracking outside the web page) help? It's been asserted that it is impractical to exploit this outside a web page (because of lack of knowledge about system metrics like resolution, virtual keyboard location, size and format, when a user clicks, etc.) so their demo does nothing to address that. And since other browsers allow tracking in web pages, their demo and list of potential bank web page targets would work just as well in those browsers. Still looks like a non-issue to me, just click bait and propaganda for the anti-IE brigade.

I appears that my comment was mistakenly deleted, so I will re-add it:

Not one to sit back and let Microsoft try to cover up the mouse tracking exploit in IE

Wow, Brad, now you are claiming that there is a conspiracy put in place by Microsoft to keep this hidden? Are you sure you didn't once work at Engadget or The Verge?

This is such garbage...who logs in to their bank account with a mouse-controlled on-screen keyboard? And how would a web page know the size, location, and arrangement of the on-screen buttons? And how would they know a click versus a hover?

Move along folks...nothing to see here...

I'd like to put some malware on your PC which makes use of this nice exploitable feature. It would show you how Microsoft's bad design (which they said they will fix, while trying to belittle the problem) is beneficial for malware authors. Then you could try belittling the issue like others here, while keeping a straight face.

audioman said,
I'd like to put some malware on your PC which makes use of this nice exploitable feature. It would show you how Microsoft's bad design (which they said they will fix, while trying to belittle the problem) is beneficial for malware authors. Then you could try belittling the issue like others here, while keeping a straight face.

I'll bite, provide all us 'ignorant' security people how this would truly be viable in the real world.

While you are doing this, forward the phone number or IP of your Android phone and I'll have my team show you what 'real' exploits are...

You claim that full-fledged mouse tracking like this is not viable in the real world, and you call yourself a "security person"? You're truly ridiculous. Also, take your hacker/cracker dares to your little elite community.

It's quite simple. An application should not report mouse position with any degree of accuracy on request when the cursor is outside the application in question. Any position request should either error or return undefined. IE does not do this.

For all those going "so does WinEyes" the application area is the desktop and it passes all events on. IE has no need to do this.

I'm pretty sure thenetavenger works on the windows team. So I guess that's what he means when he's talking about "his team" . Not some hacker group

Westpac Australia requires your online banking password to be entered using an onscreen keyboard. Citibank Australia requires the same, along with other PINs, however the numeric keypad is scrambled randomly each time.

Of course the Microsoft fanboys will defend Microsoft over this. And no I'm not an Apple fanboy either, I used Windows. But Microsoft has a long history of their own spyware, and lies.

I use Firefox and Coolnovo, but mostly Firefox.

They probably put this in to track their Bing reward users, and don't care if its used as an exploit.

jd100 said,
Of course the Microsoft fanboys will defend Microsoft over this. And no I'm not an Apple fanboy either, I used Windows. But Microsoft has a long history of their own spyware, and lies.

I use Firefox and Coolnovo, but mostly Firefox.

They probably put this in to track their Bing reward users, and don't care if its used as an exploit.

Of course the Microsoft haters will hate Microsoft over this. But the Microsoft haters will make a bunch of claims that Microsoft is using this to spy on people with no proof that is happening.

Google did (not probably, but did, and were fined for it) use code to track FireFox and Safari users, who then defended Google doing that because Google needs to make money some how.

jd100 said,
Of course the Microsoft fanboys will defend Microsoft over this. And no I'm not an Apple fanboy either, I used Windows. But Microsoft has a long history of their own spyware, and lies.

I use Firefox and Coolnovo, but mostly Firefox.

They probably put this in to track their Bing reward users, and don't care if its used as an exploit.


Track what man, it cannot see whats beneath the page, it cannot interact, it cannot record clicks.
You have to know in advanced what the user will be doing at exactly what time. You need allot more tools and techniques to see what a user is exactly doing on its system.
And if they can see what you're doing, they can already track your mouse.

But again, Firefox can do the exact same.

Ugh, the guys at Spider.io need to sh*t up. I mean: serouisly, the exploint isn't useful. How do they now if it clicks or hovers, how do they now on what they click, on wich site/window? There are a lot of options, nobody would use this. Beside: other browsers have this also, like Microsoft said. Writing a working exploit on Chrome should be that hard, it's Javascript, every browser can do this, with less or more code!

You couldn't do it on any other browser. Any website opened in any browser can get the position of the mouse, yes. This is a standard Javascript feature. What they can't do is get the position when the mouse is in another application, or when the mouse is in another tab, or when the mouse simply leaves the "page" to go to the tabs or the taskbar. This is the exploit - a website in IE can see the mouse *anywhere*. Not just the page it is used on.

It is admittedly tricky to use in an attack scenario, but not impossible. It would be wise for Microsoft not to just blow it off but to shut the exploit down *now* before someone does find a way to make it "useful". Waiting for a few million people to have their data compromised before doing anything is not the answer.

Proof if there ever was any that they really don't give a stuff about privacy...

They still don't explain how you can guess whether a keyboard is on screen, what its layout is, its size and position, the website it's used by, the user name associated with the password...

BS.

Aethec said,
They still don't explain how you can guess whether a keyboard is on screen, what its layout is, its size and position, the website it's used by, the user name associated with the password...

BS.


Its easy if you exactly know where anything on the screen will be at a specific time.
Ah well, FF, Opera, Safari, Chrome etc.. have this functionality aswell.
As its W3 standard compliance ~.~

Want it changed, people should cry to W3 and not to Microsoft. They are just implementing the official standard the same douchebags who are crying over this, cried to MS for not implementing HTML standards.

Pathetic hypocrite idiots is what they are. But hatred on IE is good for traffic (see the whole BS the German/Dutch governments pulled a few months ago, announcing by TV/Radio and whatever to stop using IE because it has security flaws.

In IE's defense.
IE has been the most secure browser since the release of IE8.
IE8 took 1,5 years before ANYONE broke through its sandboxing (meaning, any exploit before, was gone the moment you closed the browser window).
IE9 it took around 7 months before their sandboxing was broken.
IE10 in 64bit mode, is still unhacked. (desktop IE is lacking quite some security features, but blame the Windows 8 criers for that plus its possible to let desktop IE start in 64bit mode, however you wont have activex or other plugins anymore )

Chrome is one of the most unsecure browsers (which was recommended by German/Dutch governments).

It more and more feels like Google is playing a very dirty game in the browser wars. a game MS and Netscape didn't even dare to play in the first browser wars.

I wonder how it works when you have windows snapped side by side like they had in the vid. I use that method often. In the vid it showed the screen taking up a portion of the screen would it have worked the same with a full screen window? The vid was just a little confusing for me because it had the exact same layout. How would they know what size you would have your window? Just confusing.

Commenting is disabled on this article.