
Any page loaded in IE can track your mouse movements anywhere - nicksdjohnson
http://spider.io/blog/2012/12/internet-explorer-data-leakage/
======
colkassad
>The vulnerability is already being exploited by at least two display ad
analytics companies across billions of page impressions per month.

Who are these companies?

~~~
3825
Name no names please. Don't want a witch hunt when we are in a glass house.

~~~
javajosh
Honestly, I don't understand this reluctance to name wrongdoers, especially
for something like this where verifying the wrong is trivial (e.g. load up a
client site and find the offending code in source).

It seems to me that the harm is greater not naming names - reputation is
important and if you take steps to invade user's privacy then your reputation
can and should suffer for it.

~~~
baddox
"Witch hunt" generally refers to persecution of someone without any regard to
whether they're innocent or guilty, so I presume the comment was intended to
admonish against _guessing_ which ad companies may be using this technique.

~~~
3825
Yes. I am sorry I was not clearer.

------
lini
Original Bugtraq post for those that are interested:
<http://seclists.org/bugtraq/2012/Dec/81>

------
chris_wot
I find it particularly inspiring that they turned this into a game. And more
inspiring still that folks spent 4 _hours_ playing the game!

------
happslappy
This could be used to track entropy of encryption key generation(like trucrypt
or, the new MEGA site, any site that employs mouse/key binding for entropy.)

Damn, this is FUBAR!

------
alexjeffrey
While this seems like something that Microsoft should fix as a matter of
urgency, I don't believe the problem is as severe as is being portrayed.

In order to get any meaningful information from this attack, you would need to
know what application/website the user is currently using (or send them to
it), where it's positioned on the screen and the exact layout of the subject.
The interface would also have to be either mouse- or meta-key driven, which
isn't a common facet for sensitive inputs (passwords, bank transfers, and
private messages off the top of my head).

~~~
davidjgraph
Whether it's common or not isn't the issue, it's whether it's done at _all_ by
banks and suchlike.

My bank on their online site asks for my account number, a memorable piece of
data and a 6 digit passnumber that they generate (and I can't change). The
passnumber is entered using pull-down menus for each digit, always ordered
0-9.

So, no, an attacker wouldn't have access to all the information they need, but
they'd certainly have access to more than they should, in this case, if
they're able to take advantage of this, that is.

And it's not just for general users, some sites do often additional
functionality in this field for users with accessibility requirements (large
on-screen number pads, etc).

So, yes, I'm sure the % of affected sites is low, but just 1 bank whose online
system is comprised by this is 1 bank too many.

Even if mouse position tracking is permitted, it should clearly be limited to
the current tab. Cross-tab, and certainly, cross-application is just clearly
wrong.

~~~
alexjeffrey
agreed, which is why Microsoft should be held to account for not prioritising
fixing this problem. However, I felt that the portrayal of this particular
hole in the linked article made it out to be more than it is.

------
scotty79
It's a shame that before releasing that to the public noone gathered few
terabytes of such data and put it up on torrents.

We might learn a lot about how people use computers and UIs with such data.

~~~
r00fus
Ignoring the keypresses (to prevent inadvertent credential sharing), and just
doing mouseclick heatmaps while anonymizing the IPs involved and sites visited
would be interesting (you'd want to keep screen size/browser.version data, for
an understanding of what the heatmaps represent).

Would provide lots of info without compromising much details.

~~~
ZoFreX
How would it provide lots of info? Without any data on which program they were
interacting with at the time, I'd have thought data on the mouse movements
would be fairly useless?

------
benologist
Interesting that this has been around for so long. What are the ramifications
of leaking mouse/ctrl/alt/shift if they don't have any context about _what_
you are clicking on?

~~~
jtchang
Who says they don't have any context?

Off the top of my head I know ingdirect had a virtual pinpad. Combine this
with a XSS vulnerability Icould easily send you a link to login to your bank
website. The link would then load this type of mouse tracking data.

~~~
nl
The INGDirect virtual pinpad changes the arrangement of the numbers everytime
it loads and hides them when you click. That does provide some protection.

~~~
nwh
I keep seeing websites use those things, and it drives me utterly insane. Not
only is it an onscreen keyboard, but nothing stays still when I'm using the
damn thing. I hope more websites don't think it's a good idea.

~~~
taeric
I was under the impression this was actually a pretty good defence against usb
keyloggers that are trivial to install on a public computer. Is that not the
case? (Folks just not that concerned about that vector anymore?)

~~~
nwh
If someone has enough access to a computer to install a keylogger, they
probably have more than enough access to just read whatever is being "typed"
using the on screen keyboards. Inject javascript, read it out of the browsers
memory, whatever.

Of course you could be using such a system to defend against a hardware
keylogger, in which case I'd be thinking long and hard, trying to decide who I
pissed off.

Edit: Just realised you /were/ referring to a hardware keylogger. My
apologies.

~~~
ZoFreX
Yes, if someone had access to install arbitrary software on your computer they
could attempt to get behind any on-screen keyboards... but given the wide
variety of them, and how hard it would be to detect one based on its code
alone, I doubt anyone would bother.

Software keyloggers log which keys you type (obviously) but some also take a
screenshot whenever you click to defeat on-screen keyboards. It sounds like
INGDirect's keypad is designed to defeat this attack.

------
bonjourmr
This should scare customers whose bank uses a login system such as this,
correct?
[https://online.westpac.com.au/esis/Login/SrvPage?referrer=ht...](https://online.westpac.com.au/esis/Login/SrvPage?referrer=http%3A%2F%2Fwww.westpac.com.au%2Fpersonal-
banking%2F)

------
meaty
Looking at the holes and crocks of shit we see every damn day related to HTTP,
HTML, JavaScript and the whole programming model that surrounds them, it's
about time someone just shot it all and started again putting security and
privacy first rather than playing whack-a-mole all the time.

Unfortunately I fear this is not possible based on the sheer momentum that
this ball of sticky tape and string has.

I think the sheer number of articles that paper HN all the time over browser
and protocol vulnerabilities, leaks and problems back up my assertion.

EDIT: just to add, my frustrations are based on having to spend 5 hours
porting some JS code so it works properly on all browsers.

~~~
davedx
It's an Internet Explorer vulnerability. Shell level IE exploits are one of
the reasons Firefox and Chrome have done so well, because they're more secure.
Don't paint every browser with the same brush.

~~~
meaty
Yes I know but the sheer number of articles aggregated across all browsers
point to the architecture of the web being completely flawed.

Consequentially, they're all as bad as each other.

"More secure" is subjective i.e. it's more secure to us public but who the
hell knows there aren't 100 zero day's out there in the wild changing hands
for thousands of dollars.

~~~
cheald
I think you're being needlessly dismissive of how hard a problem it is. There
are legitimate use cases for capturing mouse position. You could certainly
make a secure browser, but you're also going to strip it of much of the
functionality that we enjoy today.

The problem doesn't exist because people just aren't paying attention to
security, or because the entire architecture of the web is flawed. The problem
exists because it's a _damn hard problem_ to deliver arbitrary executable code
to clients on demand and let them run it and do useful things with it without
compromising security and privacy. The browser vendors have really stepped it
up in the last few years, and it takes a very narrow view of the web to see
otherwise.

~~~
meaty
Not really. It's not a hard problem to solve if you start at the right end of
it rather than retrospectively apply it.

Capturing the mouse position is perhaps legitimate for an "application" but
not necessarily a "document". The web conveniently has turned from an
information medium into a catch all for pretty much every hack that is
imaginable. That's where it's all fallen over. "documents" are now
"applications". This has lead to all of the crocks of shit out there. Office
VBA and programmable documents are in a similar state.

I firmly believe we need to make the distinction between a document and an
application and have appropriate sandboxes and/or virtualization for each.

Documents deliver information.

Applications deliver means of interaction.

~~~
Yaggo
> I firmly believe we need to make the distinction between a document and an
> application and have appropriate sandboxes and/or virtualization for each.

You can go back to 1993 and turn your web application platform (a.k.a browser)
into simple document reader by disabling javascript (+ plugins, whoever keeps
them enabled anyway). Good luck with that.

~~~
kyllo
Oddly enough IE is the browser that seems to keep the option of disabling
Javascript buried the deepest within their context menus. In Firefox it's just
Preferences -> Content -> uncheck "Enable Javascript" (I do this to avoid
NYTimes' paywall, lol) but in IE you have to scroll through an exceedingly
long list of checkboxes that's a couple levels deep into their menus to find
"Disable active scripting" because they still refuse to call it Javascript. I
always forget where it is and have to hunt for it every time. Obnoxious.

~~~
yuhong
You are suppose to set the security level of the Internet zone to "High" (the
default on Windows Server), or add the sites needed to the "Restricted Sites"
zone.

------
alpb
This is not correct. When I run it on IE, first it asks permission to run
ActiveX controls on my browser, which I don't allow if I trust.

Then of course, it is just like Flash, it can track your mouse.

~~~
wlesieutre
I received no ActiveX warning with Windows 7 and IE9. What version are you
running?

~~~
alpb
IE10.

------
blahpro
Just to point out how ridiculous this is: you can get mouse position
information from _any_ event (fired programatically using fireEvent or
otherwise). You can even get it from the "onbounce" event on <marquee>
elements, for goodness’ sake.

------
rossc1
Is there any, any whatsoever, evidence to say that this exploit has ever been
exploited?

It seems far fetched. And if your using a virtual keyboard for security...
you'd be using IE? C'mon now.

------
wahsd
Kind of ironic considering Windows 8 visual/swipe password feature. Which, in
general, is quite novel and interesting, albeit not very secure for various
other reasons.

~~~
snarfy
The proof-of-concept should be a page that tracks the swipes and can then log
in on Windows 8. I bet then Microsoft would prioritize fixing it.

~~~
ygra
It cannot. The log-on gesture is made on a completely different desktop under
a completely different user account. If _that_ worked then Microsoft would
have a much more severe problem to fix.

------
navneetpandey
I have no problem at all, whether they track mouse movement or anything else.

You know why? because I use Chrome.

------
abdophoto
Freaking IE. I hate that damn browser

------
goggles99
This is so low risk, why even bother posting it? Zero days come out every
month or two with far better attack vectors. Criminals are not going to waste
their time with this rubbish.

