Mouse & modifier key tracking vulnerability in IE 6-10

Discussion in 'privacy general' started by TheWindBringeth, Dec 12, 2012.

Thread Status:
Not open for further replies.
  1. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,084
    http://spider.io/blog/2012/12/internet-explorer-data-leakage/

    Demo and YouTube video of demo at the bottom of http://iedataleak.spider.io/demo. I didn't test it but watched the video. It appears that mouse click events (outside of expected areas) aren't vulnerable, but you can still achieve inappropriate information gathering.
     
  2. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses

    Are there any mitigations we can useÉ

    I keep psw and http addresses on a stick encrypted then decrypt them and copy past them into the sites. So that uses clipboard.

    This all occurs while sandboxed.
     
  3. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,084
    Stop using IE? Maybe an extension to IE could intercept the events and discard or modify the threatening ones? Block third party content and carefully control what windows you have open so as to reduce the possibility that something might be snooping on you via this technique? Don't use the mouse to write out words in any applications or use a mouse driven onscreen keyboard if you have potentially threatening pages open in IE?
     
  4. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    Microsoft: We’re investigating the Internet Explorer mouse-tracking vulnerability
    Article
     
    Last edited: Dec 13, 2012
  5. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    More information (Hat Tip) to Merijn for this.
     
  6. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses

    Does this "issue" apply if we use INPrivate Browser?
     
  7. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Thanks, one MS comment here is other browsers have this issue.

    Which ones are they?

    If I don't use on screen keyboard and am inside the sandbox I suspect none of this bug applies?
     
  8. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    Based on the Microsoft statement, the vuln does take place in-privacy mode as well. There will be more as MS has had time to investigate further.

     
  9. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    Best guess is that MS will be forthcoming with a FixIt within the next days, all depending on the outcome of the MS investigation. More as I know more.
    Stay tuned.
     
  10. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,084
    Do you mean the linked to blog entry comment: "There are similar capabilities available in other browsers."? I don't know what is considered "similar capabilities" and the author chose not to elaborate on that. Perhaps, and hopefully, all browser developers will review their approaches and any/all surfaced issues will be promptly, correctly addressed.

    FWIW, the same blog entry linked to a video by Spider.io on assessing ad viewability... http://spider.io/blog/2012/12/there...e-ad-viewability-there-is-only-one-right-way/ ... which I watched. IE was the only browser described as having this issue. However, Firefox was described as having a significantly different issue of its own which 1) can also be used to determine ad viewability, and 2) could creatively be used to gather some information. IIRC, no related issues were mentioned for Webkit browsers and Opera wasn't mentioned at all. You might watch that video for yourself.

    Edit: Later, I'm going to re-watch that video myself. To be honest, I'm not sure I ever thought through the possibilities to collect information about the user based on the absolute and/or relative position of ads and knowing what could affect their position(s).

    Conceptually, the issue isn't limited to the on screen keyboard scenario. That is but one specific, bad/worst case example of where you wouldn't want webpage script to be able to gather information about unrelated mouse movements involving other applications, browser windows, etc.

    As for whether a particular "sandbox" could offer protection, I think that would depend on what if anything it does WRT compartmentalizing screens and mouse/keyboard activity, events.
     
    Last edited: Dec 14, 2012
  11. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
Loading...
Thread Status:
Not open for further replies.