Any page loaded in IE can track your mouse movements anywhere

So much for Microsoft's automatic Do Not Track. It seems users are less safe, not more with IE, from ad companies.

Name no names please. Don't want a witch hunt when we are in a glass house.

As they mention in the article, if the user is using an onscreen keyboard, then the trace essentially amounts to a keylog. And since on screen keyboard usage would have very distinctive patterns, if you had a large enough dataset, you should be able to extract those logs relatively easily.

I guess it shouldn't be too hard to create an algorithm that maps the movements to potential numbers on a visual type pad. Once you have the numbers, you just need to match them to patterns which could be cc numbers, phone numbers, bank accounts and so on. You just need to collect enough to find some useful data.

Whether it's common or not isn't the issue, it's whether it's done at _all_ by banks and suchlike.

My bank on their online site asks for my account number, a memorable piece of data and a 6 digit passnumber that they generate (and I can't change). The passnumber is entered using pull-down menus for each digit, always ordered 0-9.

So, no, an attacker wouldn't have access to all the information they need, but they'd certainly have access to more than they should, in this case, if they're able to take advantage of this, that is.

And it's not just for general users, some sites do often additional functionality in this field for users with accessibility requirements (large on-screen number pads, etc).

So, yes, I'm sure the % of affected sites is low, but just 1 bank whose online system is comprised by this is 1 bank too many.

Even if mouse position tracking is permitted, it should clearly be limited to the current tab. Cross-tab, and certainly, cross-application is just clearly wrong.

Has anyone tried this with Microsoft's Surface tablet to find out whether the on-screen keyboard can be tracked?

Right, and the affected people's right to privacy be damned...

Ignoring the keypresses (to prevent inadvertent credential sharing), and just doing mouseclick heatmaps while anonymizing the IPs involved and sites visited would be interesting (you'd want to keep screen size/browser.version data, for an understanding of what the heatmaps represent).

Would provide lots of info without compromising much details.

Who says they don't have any context?

Off the top of my head I know ingdirect had a virtual pinpad. Combine this with a XSS vulnerability Icould easily send you a link to login to your bank website. The link would then load this type of mouse tracking data.

As others have said, some clicks are going to be things on a screen-keypad.

The pad can be anywhere on the screen, and it can be in a different place each time, but you'd be able to capture repeated patterns of clicks.

If 20 years ago some clairvoyant genius had foreseen what web applications would become, and decided to create a sane and secure alternative, and by some miracle had managed to pull it off without falling into numerous tarpits owing to an unsinkable combination of intelligence, persistence and vision, it still never would have taken off because it would be too complicated to gain traction compared to the simplicity of HTML.

The key thing you need to wrap your head around is that software ecosystems are not designed; they accrete and evolve organically, and no one has any power to change that.

It's an Internet Explorer vulnerability. Shell level IE exploits are one of the reasons Firefox and Chrome have done so well, because they're more secure. Don't paint every browser with the same brush.

Do you know how hard that would be?

It's not momentum, the browser is essentially a universal OS, the holes would still be there if you started again from scratch.

Are you suggesting that there is something uniquely vulnerable about web technologies? Problems occur at every level of the stack from the OS on the client up to the server software. The big advantage of that programming model is how different elements can be loosely coupled. You can fix a problem by swapping individual parts of the stack without changing the experience.

Just removing javascript from a browser would cure most ills these days, and not all of them security issues.

This is a tempting option in so many situations, not just software. But it never works because you can never wipe the slate truly clean. The state of the world is dependent on the previous state of the world.

The problem is not the technology, it's human nature. There are a certain number of scumbags out there, who will lie, cheat, spy, eavesdrop, backstab, whatever it takes to get something for themselves. This has been going on since we've existed as a species and I see no reason to expect it to ever stop.

The world is a lovely, messy place.

Anything you replace it with will have tons of vulnerabilities as well. Formal verification might help, but that's entirely orthogonal to the programming model.

Sure, it sucks to develop for. But it's not fundamentally impossible to make it secure and private.

> Looking at the holes and crocks of shit we see every damn day related to HTTP, HTML, JavaScript

Many "browser vulnerabilities" (esp. non-IE) are actually vulnerabilities of Flash, an entirely different [and dying] platform.

> EDIT: just to add, my frustrations are based on having to spend 5 hours porting some JS code so it works properly on all browsers.

Tells nothing more than someone has written shitty code in the beginning.

The limited nature of the environment actually makes it much more secure and I'd guess that IE is not written in JavaScript. =)

> it's about time someone just shot it all and started again putting security and privacy first rather than playing whack-a-mole all the time.

I agree fully. So do the people working on Algol-68, PL/I, Multics, the Canon Cat, Plan 9, and, perhaps most relevant to this, Project Xanadu.

(Esperanto probably deserves a mention here, but it's duking it out somewhere with Volapük, Ido, Interlingua, Loglan, and Lojban.)

Because inventing something from scratch is a fool-proof way to have bug and exploit free code.

What are you even doing these days that requires "porting JS code"? I haven't had to do that for ages and it was on poorly written JS to begin with.

This is probably related to the YouTube video embed on the demo page, which I believe uses Flash. The mouse tracking itself is entirely JavaScript.

Edit: I am one of the authors of the demo code included in the disclosure.

Where in the exploit HTML + JS is the ActiveX component being invoked from?

I received no ActiveX warning with Windows 7 and IE9. What version are you running?

The proof-of-concept should be a page that tracks the swipes and can then log in on Windows 8. I bet then Microsoft would prioritize fixing it.