Microsoft says it is investigating a possible bug in Internet Explorer that allows others to follow the position of your mouse cursor on screen, even if IE is minimized.
Researchers at Spider.io, an advertising analytics firm, discovered the function and reported it to Microsoft in early October. They identified a vulnerability in Internet Explorer, found in versions 6 through 10, that enables people to track the mouse cursor anywhere on a display, which could compromise the security of virtual keyboards and virtual keypads.
Here’s a video demo of the exploit:
Microsoft acknowledged the issue, but did not address it in the latest patch update for the browser. So far, Microsoft claims its evidence indicates that sites can view only the mouse state, but not the actual content that the user is interacting with.
The company now says it is working closely with other companies to address the vulnerability.
“From what we know now, the underlying issue has more to do with competition between analytics companies than consumer safety or privacy,” said Dean Hachamovitch, a Microsoft vice president who oversees IE, in a blog post.
“We are actively working to adjust this behavior in IE. There are similar capabilities available in other browsers. Analytics firms can expect to do viewpoint detection in IE similarly to how they do this in other browsers,” Hachamovitch added. “The only reported active use of this behavior involves competitors to Spider.io providing analytics. The theoretical use of this behavior to compromise the safety or privacy of consumers is something Microsoft’s security team has discussed with researchers across the industry.”
Hachamovitch says that getting all the right pieces in order to exploit this vulnerability is “hard to imagine,” and that there is “very little risk to consumers at this time.”