Spider.io software engineer Nick Johnson recently uncovered a security flaw in Internet Explorer that could allow an attacker to track all of a victim's mouse cursor movements, even if the Internet Explorer window is inactive.
"This particular vulnerability is of concern, because if you use Internet Explorer your mouse movements can be recorded even if you never install any software," writes Wired's Olivia Solon. "A hacker simply needs to buy a display advertising placement on any webpage you visit. As long as the tab with the ad remains open, mouse movements can be tracked."
"In fact, Spider.io revealed the security hole is already being used by advertisers," writes The Next Web's Emil Protalinski. "Though it didn’t name them, the security firm said the vulnerability is currently being exploited by at least two display ad analytics companies 'across billions of page impressions per month.'"
"Knowing the position of the cursor has significant ramifications for authentication systems that use a virtual keyboard as a means to circumvent keyloggers," writes ZDNet's Michael Lee. "Virtual keyboards that randomise key placement would likely be unaffected."
"[Spider.io said] that, while the problem has been acknowledged by the Microsoft Security Research Center, there are apparently no immediate plans for a patch," writes Network World's Jon Gold.