Internet Explorer Data Leakage

On the 1st of October, 2012, we disclosed to Microsoft the following security vulnerability in Internet Explorer, versions 6–10, which allows your mouse cursor to be tracked anywhere on the screen—even if the Internet Explorer window is minimised. The vulnerability is particularly troubling because it compromises the security of virtual keyboards and virtual keypads.

The motivation for using a virtual keyboard is typically that it reduces the chance of a keylogger recording one’s keypresses and thereby compromising one’s passwords or credit card details. (c.f. bit.ly/YnNBYE; bit.ly/VpapWf)

Whilst the Microsoft Security Research Center has acknowledged the vulnerability in Internet Explorer, they have also stated that there are no immediate plans to patch this vulnerability in existing versions of the browser. It is important for users of Internet Explorer to be made aware of this vulnerability and its implications.

The vulnerability is already being exploited by at least two display ad analytics companies across billions of page impressions per month.

A follow-up blog post may be found here.

Vulnerability Disclosure

Package: Microsoft Internet Explorer
Affected: Tested on versions 6–10
BugTraq Link: seclists.org/bugtraq/2012/Dec/81

Introduction
A security vulnerability in Internet Explorer, versions 6–10, allows your mouse cursor to be tracked anywhere on the screen, even if the Internet Explorer window is inactive, unfocused or minimised. The vulnerability is notable because it compromises the security of virtual keyboards and virtual keypads.

As a user of Internet Explorer, your mouse movements can be recorded by an attacker even if you are security conscious and you never install any untoward software. An attacker can get access to your mouse movements simply by buying a display ad slot on any webpage you visit. This is not restricted to lowbrow porn and file-sharing sites. Through today’s ad exchanges, any site from YouTube to the New York Times is a possible attack vector. Indeed, the vulnerability is already being exploited by at least two display ad analytics companies across billions of webpage impressions each month. As long as the page with the exploitative advertiser’s ad stays open—even if you push the page to a background tab or, indeed, even if you minimise Internet Explorer—your mouse cursor can be tracked across your entire display.

Details of the vulnerability
Internet Explorer’s event model populates the global Event object with some attributes relating to mouse events, even in situations where it should not. Combined with the ability to trigger events manually using the fireEvent() method, this allows JavaScript in any webpage (or in any iframe within any webpage) to poll for the position of the mouse cursor anywhere on the screen and at any time—even when the tab containing the page is not active, or when the Internet Explorer window is unfocused or minimized. The fireEvent() method also exposes the status of the control, shift and alt keys.

Affected properties of the Event object are altKey, altLeft, clientX, clientY, ctrlKey, ctrlLeft, offsetX, offsetY, screenX, screenY, shiftKey, shiftLeft, x and y.

Exploit

<!DOCTYPE html>
<html>
<head>
  <meta charset="utf-8" />
  <title>Exploit Demo</title>
  <script type="text/javascript">
    window.attachEvent("onload", function() {
      var detector = document.getElementById("detector");
      detector.attachEvent("onmousemove", function (e) {
        detector.innerHTML = e.screenX + ", " + e.screenY;
      });
      setInterval(function () {
        detector.fireEvent("onmousemove");
      }, 100);
    });
  </script>
</head>
<body>
  <div id="detector"></div>
</body>
</html>

Demonstration
A demonstration of the security vulnerability may be seen here: iedataleak.spider.io/demo.

The implications for virtual keyboards and virtual keypads
We have created a game to illustrate how easily this security vulnerability in Internet Explorer may be exploited to compromise the security of virtual keyboards and virtual keypads. The game may be found at iedataleak.spider.io.