Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

IE Flaw Lets Sites Track Your Mouse Cursor, Even When You Aren't Browsing

Soulskill posted about 2 years ago | from the now-everybody-knows-your-goofy-little-mouse-movements dept.

Internet Explorer 149

An anonymous reader writes "A new Internet Explorer vulnerability has been discovered that allows an attacker to track your mouse cursor anywhere on the screen, even if the browser isn't being actively used. 'Whilst the Microsoft Security Research Center has acknowledged the vulnerability in Internet Explorer, they have also stated that there are no immediate plans to patch this vulnerability in existing versions of the browser. It is important for users of Internet Explorer to be made aware of this vulnerability and its implications. The vulnerability is already being exploited by at least two display ad analytics companies across billions of page impressions per month.' All supported versions of Microsoft's browser are reportedly affected: IE6, IE7, IE8, IE9, and IE10."

cancel ×

149 comments

Sorry! There are no comments related to the filter you selected.

Some of these IE bugs are things of beauty. (4, Funny)

multicoregeneral (2618207) | about 2 years ago | (#42264213)

I think in general, we need to stop looking at them as bugs. We need to start looking at them as performance art.

Re:Some of these IE bugs are things of beauty. (4, Funny)

masternerdguy (2468142) | about 2 years ago | (#42264285)

This isn't a bug it's a feature! It allows for advanced Facebook integration with cutting edge cloud computing advertisers running the new touch-screen oriented Windows Server. This delivers high quality targeted rich media advertising to the world's most common platform.

Re:Some of these IE bugs are things of beauty. (2)

Synerg1y (2169962) | about 2 years ago | (#42264357)

Seriously, I can't see why anybody else would care, mouse coordinates are not useful data for anything. The fact that they have "detector" exposed... somebody needs to stop working in development for that one.

Re:Some of these IE bugs are things of beauty. (5, Funny)

Anonymous Coward | about 2 years ago | (#42264425)

You're not seeing the big picture. Mouse movement patterns can predict attitudes, political orientation, sexual orientation, and how many pets someone owns. The r squared of the correlation is nearly 0.05 making it extremely interesting to analytic companies. There is a database somewhere of literally years of mouse movement records that demonstrate changes in religion, politics, and mean income. We're talking about a new marketing paradigm for the 21st century advertiser.

Re:Some of these IE bugs are things of beauty. (1)

camperdave (969942) | about 2 years ago | (#42264623)

Ah! So if the mouse cursor is constantly going to the bottom left, they are a conservative windows user. But if it goes to the top left, they are a wine-loving Ubuntu user?

Re:Some of these IE bugs are things of beauty. (1)

Anonymous Coward | about 2 years ago | (#42264639)

I think it can be more direct than that. If it goes to the top left, then you need to start selling that person antidepressants, because they're clearly in some horrible situation (office still using ActiveX?) that requires them to use IE on 'buntu/OS X.

Re:Some of these IE bugs are things of beauty. (4, Informative)

Samantha Wright (1324923) | about 2 years ago | (#42265345)

More plausibly, this can be used to determine how quickly someone reaches for the top-right corner to kill an advertisement, or if they start to and then suddenly stop because they got distracted by something in the pop-up.

...based on the content of which, you can then predict attitudes, political orientation, sexual orientation, and how many pets someone owns. The r squared of the correlation is nearly 0.05 making it extremely interesting to analytic companies. There is a database somewhere of literally years of mouse movement records that demonstrate changes in religion, politics, and mean income. We're talking about a new marketing paradigm for the 21st century advertiser.

Re:Some of these IE bugs are things of beauty. (4, Insightful)

mcl630 (1839996) | about 2 years ago | (#42264463)

Seriously, I can't see why anybody else would care, mouse coordinates are not useful data for anything. The fact that they have "detector" exposed... somebody needs to stop working in development for that one.

It is useful data if the user is using a virtual keyboard on a touch-device.

Re:Some of these IE bugs are things of beauty. (0)

Anonymous Coward | about 2 years ago | (#42264585)

Android is open source patch it yourself commie.

Re:Some of these IE bugs are things of beauty. (1)

Anonymous Coward | about 2 years ago | (#42265069)

Android is open source patch it yourself commie.

IE doesn't run on Android.

Re:Some of these IE bugs are things of beauty. (4, Insightful)

hobarrera (2008506) | about 2 years ago | (#42265169)

Or those virtual keyboards some banks force you to use to avoid keyloggers.

Re:Some of these IE bugs are things of beauty. (4, Interesting)

gmuslera (3436) | about 2 years ago | (#42264649)

Wonder if touch input is counted as mouse coordinates. If so, is at the very least a keylogger.

Re:Some of these IE bugs are things of beauty. (5, Informative)

JDG1980 (2438906) | about 2 years ago | (#42264797)

Seriously, I can't see why anybody else would care, mouse coordinates are not useful data for anything.

From the original article: "A security vulnerability in Internet Explorer, versions 6â"10, allows your mouse cursor to be tracked anywhere on the screen, even if the Internet Explorer window is inactive, unfocused or minimised. The vulnerability is notable because it compromises the security of virtual keyboards and virtual keypads."

Re:Some of these IE bugs are things of beauty. (1)

Synerg1y (2169962) | about 2 years ago | (#42265071)

It can... you'd have to write a reverse mouse coordinator to keyboard mapper type app, account for screen resolution, write an algorithm, or use a set of pretty red eyeballs to factor out all the typos, junk clicks, factor in for auto-correct on this types of keyboards and then maybe you'd have something. And these are obvious issues I can think of off the top of my head. Any volunteers?

Re:Some of these IE bugs are things of beauty. (2, Insightful)

Anonymous Coward | about 2 years ago | (#42265261)

Because it would be challenging, would BE the reason someone would write this exploit.

Re:Some of these IE bugs are things of beauty. (2)

PlusFiveTroll (754249) | about 2 years ago | (#42265419)

For a virtual keyboard that you'd be typing a password in to, there shouldn't be any issues with autocorrect. Just the series of movements would pretty quickly correlate to a low entropy password. Something stupid like 'Password1' would show up in a heatmap pretty easy.

IE, a entomologist's dream application... (1)

TiggertheMad (556308) | about 2 years ago | (#42264823)

Seriously, I can't see why anybody else would care, mouse coordinates are not useful data for anything.

In and of themselves, you are right, they aren't a threat. But what other bugs are there in IE that this could be used in conjunction with?

I can think of one app right off the top of my head that this could be a big deal for. Doesn't the Putty ssh key generator app use mouse movements to seed the SSH key generation? If you knew that was running, and could track mouse movement, that would give you a lot of information that shouldn't be shared. I think a lot of git based stuff uses SSH keys for authentication, so there is a lot of potential trouble this could cause with other vulnerabilities.

Re:IE, a entomologist's dream application... (1)

Synerg1y (2169962) | about 2 years ago | (#42265029)

As long as they reversed the encryption formula in real-time... I don't think the ssh key generator uses the mouse as the only factor of the salt.

Re:Some of these IE bugs are things of beauty. (2)

Iamthecheese (1264298) | about 2 years ago | (#42264905)

Several secure banking apps allow the user to click screen icons to spell out PINs and passwords.

Re:Some of these IE bugs are things of beauty. (1)

Synerg1y (2169962) | about 2 years ago | (#42265005)

On a website or atm? I can't think of any that let you use a built in on screen keyboard embedded into the website (req. for steady xyz tracking to grab a pin).

Re:Some of these IE bugs are things of beauty. (4, Informative)

mythosaz (572040) | about 2 years ago | (#42265137)

IngDirect (now Capital One) uses a virtual pinpad as the standard means of accessing your account.

789
456
123

You click on each digit of your PIN after entering (or pulling down from the history on registered computers) your customer number. You can not type them. You must click them.

Re:Some of these IE bugs are things of beauty. (2)

Smallpond (221300) | about 2 years ago | (#42265645)

IngDirect (now Capital One) uses a virtual pinpad as the standard means of accessing your account.

789
456
123

You click on each digit of your PIN after entering (or pulling down from the history on registered computers) your customer number. You can not type them. You must click them.

This is a security feature to prevent a keylogger from capturing your PIN. After all, what software would be stupid enough to pass your mouse coordinates and button presses to untrusted javascript?

Now suppose Evildude buys an ad that pops up when someone searches on IngDirect. Many people never type in the address bar. They use search to find the site they want to go to. Now you have your exploit and a pretty good correlation with the IngDirect site. Bingo.

Re:Some of these IE bugs are things of beauty. (0)

Anonymous Coward | about 2 years ago | (#42265225)

If I'm not mistaken web pages can make a call for the users screen resolution, and with knowledge of how the web page is displayed they could very likely determine what a user is interested in (at least if they have the habit of moving their mouse to things they are focusing on like me). With touch screens and tablets becoming more popular entries into on screen keyboards could also allow them to determine passwords, credit card numbers, user names and other information. Not that any of this would be foolproof, but it doesn't need to be to glean an obscene amount of personal information.

Re: Seriously .. (1)

dgharmon (2564621) | about 2 years ago | (#42265297)

"The IE vulnerability compromises the security of virtual keyboards and virtual keypads, which can be used to reduce the chance of a keylogger recording every keystroke to learn your credit card numbers, passwords, and other sensitive information .. If you don't use IE, here's a video demonstration of the vulnerability in action [thenextweb.com] ":

Re:Some of these IE bugs are things of beauty. (1)

dkleinsc (563838) | about 2 years ago | (#42264441)

It allows for advanced Facebook integration with cutting edge cloud computing advertisers running the new touch-screen oriented Windows Server. This delivers high quality targeted rich media advertising to the world's most common platform.

Bingo, sir. [dilbert.com]

Re:Some of these IE bugs are things of beauty. (1)

polar red (215081) | about 2 years ago | (#42265015)

that's called 'bullshit bingo' now.

Re:Some of these IE bugs are things of beauty. (0)

Anonymous Coward | about 2 years ago | (#42265179)

This isn't a bug it's a feature!

Microsoft's response of "no immediate plans to patch this vulnerability" leads me to believe that stuff like this is being deliberately put in under orders of Homeland Security (and has been for years).

Re:Some of these IE bugs are things of beauty. (1)

girlintraining (1395911) | about 2 years ago | (#42264617)

We need to start looking at them as performance art.

Historically, there's been nothing artistic about the performance of Internet Explorer, except perhaps in the wide and varied ways in which it catches fire. That said... someone really needed to have screwed the pooch to make this vulnerability possible; Windows by default won't dump mouse movement events into a window or control's message queue unless it's directly over it, and the x,y coordinates are usually relative not absolute (though one can make a dll call to get the absolute coordinates). But then, IE happily chirps your display devices' absolute size in HTTP requests, and its bag on the side ".hta" files and associated total bypass of normal security in order to turn internet explorer into some kind of interpreter for standalone applications may have something to due with this monumental screwup.

And make no mistake: They had to screw up pretty good to make this one possible. Normal windows applications just don't work like this.

Re:Some of these IE bugs are things of beauty. (1)

PlusFiveTroll (754249) | about 2 years ago | (#42265515)

There is some pretty good [youtube.com] artistic videos on internet exploder catching fire out there.

They had to screw up? (1)

SpaceLifeForm (228190) | about 2 years ago | (#42265587)

Not if it is by design. Perhaps the problem is that IE is 'leaking' the fact that the capability exists. Certainly, the entire OS does know the cursor position and mouse click and keyboard events anyway. Remember, His Billness testified that IE and the OS were inseparable.

Re:Some of these IE bugs are things of beauty. (0)

Anonymous Coward | about 2 years ago | (#42264803)

I think in general, we need to stop looking at them as bugs. We need to start looking at them as performance art.

I think in general, we need to stop bullshitting and call this what it is; Microsoft being paid by ad companies to acknowledge exploits but completely ignore fixing them (in which said exploit becomes a "feature").

And of course, in business-speak, this is completely legitimized by calling this a "partnership".

Re:Some of these IE bugs are things of beauty. (0)

Anonymous Coward | about 2 years ago | (#42265173)

You better get that tin foil hat replaced. I'm getting a lock on you.

Not as bad as ubuntu (-1)

Anonymous Coward | about 2 years ago | (#42264225)

Ubuntu £inux is the death of computing and the hacker culture. Mark has made it clear that he intends to keep making ubuntu more and more oriented to commercialism until eventually it is just as ad ridden and broken as Android. Ubuntu will support the TPM and secure booting so it can be pre installed on computers and the UEFI firmware will be locked so I won't even be able to install windows 8 on it. And this is progress? Disgusting.

Re:Not as bad as ubuntu (1)

multicoregeneral (2618207) | about 2 years ago | (#42264287)

It's not commercialism that's the problem with Ubuntu. Commercialism is useful and valuable to hackers and programmers, and the people that help them put food on the table. Redhat is a commercial distro, and very few people complain about it. The problem is that Mark Shuttleworth thinks he's Steve Jobs. He's not. I don't even think Steve Jobs was Steve Jobs, honestly.

Re:Not as bad as ubuntu (0)

Anonymous Coward | about 2 years ago | (#42264503)

No, but Steve Jobs has the ability to make you think he was Steve Jobs.

Re:Not as bad as ubuntu (1)

fahrbot-bot (874524) | about 2 years ago | (#42264565)

I don't even think Steve Jobs was Steve Jobs, honestly.

His liver certainly wasn't. (Too soon?)

Good job (0)

Finallyjoined!!! (1158431) | about 2 years ago | (#42264227)

That I only use Opera then.....

Surprised? (2)

kc67 (2789711) | about 2 years ago | (#42264229)

This is IE we are talking about...

Re:Surprised? (0)

Anonymous Coward | about 2 years ago | (#42264415)

Since your Slashdot ID is almost 3 Million, I'm not surprised you can not accuratly identify a TROLL ARTICLE.

Re:Surprised? (0)

lister king of smeg (2481612) | about 2 years ago | (#42264543)

Since your Slashdot ID is almost 3 Million...

said the 8 digit AC.

Re:Surprised? (0)

Anonymous Coward | about 2 years ago | (#42264683)

Since your Slashdot ID is almost 3 Million...

said the 8 digit AC.

ACs have user IDs now? And not just a post ID? Oh, crap. They're on to me! Coward powers, awaaaaaaaaaaay! *zoom*

Article is a Troll (0, Informative)

Anonymous Coward | about 2 years ago | (#42264235)

This is a JavaScript flaw that occures in several browsers. Article - such that is is as not much more than a Slashvert for Page Views - is a TROLL.

Really? Why Doesn't the Demo Work in FF Then? (5, Informative)

eldavojohn (898314) | about 2 years ago | (#42264455)

Well, that's bizarre, when I go to the demonstration page in Firefox nothing happens [spider.io] yet when I go to it in IE, it magically works. What are they doing in their demonstration page that is different? Browser version shouldn't matter, right?

Conversely this just sounds like Microsoft being bit in the ass by giving their browser special privileges to native OS libs and dlls.

Re:Really? Why Doesn't the Demo Work in FF Then? (3, Informative)

mcl630 (1839996) | about 2 years ago | (#42264551)

Nothing happens in Chrome either. In IE it works. I did notice that is only tracks while the mouse cursor is on the same monitor as the IE window.

Re:Really? Why Doesn't the Demo Work in FF Then? (2)

Archangel Michael (180766) | about 2 years ago | (#42264689)

Good to know. Now all I have to do is have my IE window open on the monitor I just setup for IE (and nothing else) :-D Problem solved.

Re:Really? Why Doesn't the Demo Work in FF Then? (1)

Dunega (901960) | about 2 years ago | (#42265375)

It's also extremely inaccurate. The picture shows the mouse pointing well off of the IE window when I was pointing it at the address bar.

Re:Really? Why Doesn't the Demo Work in FF Then? (1)

The MAZZTer (911996) | about 2 years ago | (#42264879)

Well the exploit uses APIs that only work in IE, such as attachEvent, so it breaks in other browsers before it can even try the exploit.

I looked into how other browsers handle manually firing events and found this nice example [mozilla.org] . As you can see, you are REQUIRED to create your OWN event object, where the exploit depends on the browser creating and populating one.

Re:How odd. (1)

JustAnotherIdiot (1980292) | about 2 years ago | (#42265499)

Not the link you provided, but this tidbit in the summary:

track your mouse cursor anywhere on the screen, even if the browser isn't being actively used.

I always have IE up due to the fact it's the only browser that works with my sign in/out webpage for work.
Even still, I don't see it working unless I pull it up actively in IE.

Re:Article is a Troll (1)

The MAZZTer (911996) | about 2 years ago | (#42264863)

fireEvent is only supported in IE. Can you show how other browsers are affected? The only way to manually fire events in a standard way involves supplying your OWN event object and properties... this exploit relies on the browser filling some in.

Re:Article is a Troll (0)

Anonymous Coward | about 2 years ago | (#42265471)

fireEvent is only supported in IE. Can you show how other browsers are affected?

Yes I can. Butt at the moment, I'm corn-holing your sister while your brother and mother watches as they masturbate eachother.

WTF? (1)

fuzzyfuzzyfungus (1223518) | about 2 years ago | (#42264257)

Why would a program even have access to mouse activity that isn't occurring within its window?

Re:WTF? (1)

jellomizer (103300) | about 2 years ago | (#42264361)

There are legit programs such presenting your screen and you need to show where your mouse is, or even programs that will try to predict your next action ahead of time for faster performance. Or you just really like xeyes.

I admit it is a scary feature however there are actually legit uses for it too.

Re:WTF? (1)

fuzzyfuzzyfungus (1223518) | about 2 years ago | (#42264413)

I can definitely see the use cases(if nothing else, the window manager needs to know where the mouse is to manage windows), it just seems like a strange thing to have available by default, especially for a browser, which can reasonably assume that it will spend its entire life handling malicious inputs.

Re:WTF? (0)

PPH (736903) | about 2 years ago | (#42264367)

Probably because IE is so tightly bound to Windows, everything is "its window".

Re:WTF? (1, Troll)

marcello_dl (667940) | about 2 years ago | (#42264391)

> Why would a program even have access to mouse activity that isn't occurring within its window?

To properly implement xeyes, obviously.

PS: n00b! :->

PS2: I found this js version of xeyes [arc.id.au] , you IE users should have eyes following you outside the browser windows, right? With my ff on linux they stop following outside the window.

Re:WTF? (1)

smitsco (677534) | about 2 years ago | (#42264561)

Your example doesn't demonstrate the bug in question. The eyes in your example stop moving when I move the mouse cursor outside the window in IE 10.

Re:WTF? (1)

ericloewe (2129490) | about 2 years ago | (#42264811)

Same here. Same monitor, different monitor, doesn't even work across windows.

Re:WTF? (1)

ericloewe (2129490) | about 2 years ago | (#42264793)

Probably their method of carrying tabs to and from active windows.

Exposing it to web pages is something quite weird to allow, though.

SMH (2)

Applekid (993327) | about 2 years ago | (#42264275)

IIRC, your standard message pump in Windows won't send mouse events to your window if you don't have focus. Which means they had to do something extra to make it happen. Not for, say, Magnifier, but for a mere web browser.

Craziness.

Re:SMH (1)

BradleyUffner (103496) | about 2 years ago | (#42264419)

IIRC, your standard message pump in Windows won't send mouse events to your window if you don't have focus. Which means they had to do something extra to make it happen. Not for, say, Magnifier, but for a mere web browser.

Craziness.

Chrome (a mere web browser) receives mouse events when not in focus also. Just put another window on top of it and hover the mouse over the back button. You will see it's state change.

Re:SMH (0)

Anonymous Coward | about 2 years ago | (#42264625)

Firefox show the same behavior (hover over a tab while not focused), and Thunderbird does it too.

Re:SMH (1)

hobarrera (2008506) | about 2 years ago | (#42265197)

I can't reproduce this. Maybe it's a windows-only issue?

Re:SMH (1)

Anonymous Coward | about 2 years ago | (#42264421)

your standard message pump in Windows won't send mouse events to your window if you don't have focus.

You forget, IE is part of the OS. From the description of the exploit, it sounds like IE uses a prefilled event template with information from the OS, and returns that whenever an event is fired, so if your script manually calls the onmousemove event it gets that event template, even if your mouse isn't moving on the webpage.

Re:SMH (0)

Anonymous Coward | about 2 years ago | (#42264569)

IIRC, your standard message pump in Windows won't send mouse events to your window if you don't have focus. Which means they had to do something extra to make it happen.

LOL wut? [quirksmode.org]

yes they did have to do something extra to make it happen, that's how web browsers work. they just chose a lazy way of implementing the functionality. possibly using a window handler thread which saves the mouse coordinates in a global var. this global var being available to the javascript thread which just spawned a timer to check mouse coordinates. in this situation, the likely culprit is in the window handler thread not handling focus correctly. read: this can happen in any os and with any browser.

i bet there are a bunch of third party "security" tools that are using this bug (er feature) and thus microsoft is stuck between a rock and a hard place. it's not a SERIOUS bug, but it was just being used by the good guys first before the bad guys figured nefarious things to do. think of it this way.. wordperfect uses an undocumented feature (or exploits a bug). 3 years later that same undocumented feature can also cause a program to gain system level privileges. do you fix the bug and get sued by wordperfect for not documenting your calls (seriously) or not fix the bug and worry about everyone calling you an insecure (yet massively used) code house.

you win some, you lose some in the software industry

Re:SMH (1)

Sarten-X (1102295) | about 2 years ago | (#42264777)

do you fix the bug and get sued by wordperfect for not documenting your calls (seriously) or not fix the bug and worry about everyone calling you an insecure (yet massively used) code house.

You document the calls in the first place, as a standard part of making a public API, rather than using inside knowledge to keep wordperfect's development slower and more expensive than your own. Then when you fix the bug later, you stay as true to that documentation as is possible, so there's no indication of ill will in any loss of compatibility.

you win some, you lose some in the software industry

Software development is a business, not a casino. There's enough risk in the market alone without betting on whether a judge will allow shady legal tactics.

Re:SMH (1)

shutdown -p now (807394) | about 2 years ago | (#42265387)

Mouse events are not the only way to get mouse coordinates or button state - you can just directly ask the OS [microsoft.com] for the current state. The coordinates returned are relative to the screen, and can then be translated to window-relative coordinates. Sounds like IE is doing just that.

Black screen (0)

Anonymous Coward | about 2 years ago | (#42264333)

I don't know about you guys, but if someone was mapping my mouse movements they'd get a black screen from all the idle mouse looping (and intense gaming) i do...not sure what value they can get from it. Way too much noise and not enough signal here.

Let me be the first to say... (1)

bmk67 (971394) | about 2 years ago | (#42264355)

...you've got to be fucking kidding me.

Because I am too lazy (1)

xevioso (598654) | about 2 years ago | (#42264393)

to RFA, can someone explain exactly how this can be exploited by analytics companies with regards to ads?

If my browser is not active, and I have, say, an iTunes window open on top, then how will these analytic companies know the mouse is over a spot on iTunes that has an ad underneath in the browser window? Are ad companies making money by your mouse just moving over an area rather than clicking on it? I know there are those ad companies that have flash/html5 ads that do something nifty when you roll over them, but for there to be any money made, I thought you had to click somewhere in the ad. So how would an analytic company make money on just the rollovers when the browser isn't active?

Re:Because I am too lazy (1)

yorgasor (109984) | about 2 years ago | (#42264537)

Here, I'll RTFA for you, hopefully you're not too lazy to read this reply :)

It's dangerous if you're using virtual keyboards, as they can then track where your mouse is and potentially work as a keylogger.

Re:Because I am too lazy (1)

xevioso (598654) | about 2 years ago | (#42264609)

Right, I actually read that part after I did RTFA, but that doesn't answer the part in the OP, which was
"The vulnerability is already being exploited by at least two display ad analytics companies across billions of page impressions per month.'"

How does using a virtual keyboard have anything to do with this? Sure the amount of people using virtual keyboard is incredibly small, and the ads rolled over or visited by those folks are probably much smaller still.

Re:Because I am too lazy (1)

ericloewe (2129490) | about 2 years ago | (#42264825)

It's only extremely small while Windows 8 + touch screens don't get more common

Re:Because I am too lazy (0)

Anonymous Coward | about 2 years ago | (#42264549)

It doesn't, this is pretty useless really

HTML/A like PDF/A (0)

Anonymous Coward | about 2 years ago | (#42264395)

We need a back to the basics web standard that is long-term stable and only offers link interactivity. No hover, no conditional loading, no scripting, just pages linked to other pages.

Re:HTML/A like PDF/A (0)

Anonymous Coward | about 2 years ago | (#42264715)

I was always behind a reinvention of Gopher for the modern information services age.

Something that allows more personalization but still a very very simple text service overall. (some image media at least that lets you flow content around it, similar to a wikipedia page I guess)

So, with this you could have your logos, some images, and text. The absolute basics.
There are so many information services that could do stuff like that.
And better yet, they can be iframed too, so you could provide only those or a wrapper site around it for interactive versions of the site.

Re:HTML/A like PDF/A (0)

Anonymous Coward | about 2 years ago | (#42264751)

Do you do parties? You sound like a lot of fun!

Re:HTML/A like PDF/A (1)

JDG1980 (2438906) | about 2 years ago | (#42264989)

We need a back to the basics web standard that is long-term stable and only offers link interactivity. No hover, no conditional loading, no scripting, just pages linked to other pages.

This sounds like an interesting concept, but any attempt to actually implement it would descend into political morass. OK, no Javascript, that's pretty straightforward... but there are a million other arguments that would inevitably crop up. Should CSS be permitted, and if so, to what extent? (You already indicated you wouldn't want the :hover selectors.) What about images? If they're prohibited altogether, the standard would be very unlikely to catch on. Presumably a small number of widespread image formats would be allowed (JPEG and PNG most obviously). What about SVGs? Permitted or verboten? How about animated GIFs? What about iframes? Should links be allowed to pop up in a separate window/tab with the "target" attribute? (Technically, that's not JavaScript.)

Any one of these questions could take months of committee meetings to sort out.

I always thought this was a feature. (-1)

Anonymous Coward | about 2 years ago | (#42264401)

Flash can do it as well.
I was always annoyed that others couldn't do it.

I mean, let's be honest, what the hell can be found out by watching mouse movements?
Yeah, big deal, you can see a persons hotspots of activity, oh no, they know I draw dicks in Paint when I am bored! YOU EVIL HACKERS YOU!
There are no implications, some stupid ad site gets a little more information on you closing its probable pop-ups or not hovering over ads or, OH WAIT, all of that is INSIDE a browser context! Mouse movements and clicks have NO context outside of a browser window with respect to the browser.
God damn paranoid people man. Think before you spew your sperg cream.
I bet you probably cried when they announced the Mouse Lock API as well. (when there were already considerations for security beforehand, the whole "ask for permission" thing that has been added by default to pretty much every single new external feature of JS in recent years like they should have been, *cough* W3C sucks *cough*)
Hell, there is a good idea right there, "let this website track my mouse movements when it isn't focused". Extend the API. Problem solved.

Someone drew their personal information in Paint? That is what they get for being morons and not knowing the text tool exists, that huge thing with the A on it. yeah, that there. Click it.

Re:I always thought this was a feature. (1)

Bitsy Boffin (110334) | about 2 years ago | (#42264775)

How do you type on a tablet, or if you do not have use of your hands? That's right, an on screen keyboard.

Like having a built in keylogger do you?

Re:I always thought this was a feature. (1)

Blakey Rat (99501) | about 2 years ago | (#42264851)

On-screen keyboards, when used on touch or pen displays, don't have a "mouseX" or "mouseY". Right? Those variables would be filled-in only for the one click event being sent to the application receiving it, presumably when generating a "nothing" event they are blank.

So I don't see how this can be used to exploit it. Or maybe there's something I'm missing.

Criminal charges (1)

Anonymous Coward | about 2 years ago | (#42264429)

If there really are analytic companies explioting vulnerabilities to hack browsers and spy on users across state lines I hope charges are pending.

Re:Criminal charges (1)

PlusFiveTroll (754249) | about 2 years ago | (#42265577)

In theory this is a *feature* of IE and not a bug.

Then again this is why I use noscript and the EasyList + EasyPrivacy filter set

Picture password? (1)

Ken_g6 (775014) | about 2 years ago | (#42264501)

I haven't even touched a computer with Windows 8, so forgive my ignorance, but could this be used to capture someone's picture password strokes?

Re:Picture password? (1)

mcl630 (1839996) | about 2 years ago | (#42264619)

Yes

Re:Picture password? (2)

JediJorgie (700217) | about 2 years ago | (#42264805)

Bullshit... and least not the picture password for the local machine.

When you are entering your picture password, you are in special trusted process that _even_with_UAC_off_ is isolated from normal user process.

However, if you are remoting into another machine, it can capture anything you draw there...

Jorgie

Re:Picture password? (0)

Anonymous Coward | about 2 years ago | (#42265103)

They're tracking the mouse cursor across the screen with a polling loop. That works for any process on the same desktop. Is the picture password on the user desktop or the login desktop?

Track my mouse? (4, Funny)

PPH (736903) | about 2 years ago | (#42264507)

Good. I always suspected the little bastard was up to something when I'm not around.

Can they do this for my car keys as well?

Unauthorized bandwidth usage lawsuits (1)

Anonymous Coward | about 2 years ago | (#42264509)

Since, you know, I have to pay for all data that traverses my tubes... I should totally be able to sue people that trespass on my tubes to spy on me, thus stealing bandwidth I have to pay for.

Do I have any legal legs to stand on if I sue Microsoft for each license of Windows I have connected to the internet? I would classify this as negligence.

I would sue a home-builder that built in a way for people to look into my home *and* make me for their privilege to do so... particularly had they marketed the home without a caveat.

Re:Unauthorized bandwidth usage lawsuits (2)

aicrules (819392) | about 2 years ago | (#42264621)

No, you would likely have your legs removed for filing such a lawsuit.

The Big Picture (1)

Frosty Piss (770223) | about 2 years ago | (#42264601)

You're not seeing the big picture. Mouse movement patterns can predict attitudes, political orientation, sexual orientation, and how many pets someone owns. The r squared of the correlation is nearly 0.05 making it extremely interesting to analytic companies. There is a database somewhere of literally years of mouse movement records that demonstrate changes in religion, politics, and mean income. We're talking about a new marketing paradigm for the 21st century advertiser.

I use IE5 (2, Funny)

Anonymous Coward | about 2 years ago | (#42264613)

All supported versions of Microsoft's browser are reportedly affected: IE6, IE7, IE8, IE9, and IE10.

Vindication!

Which companies are exploiting this? (2)

Lieutenant_Dan (583843) | about 2 years ago | (#42264729)

Good for the Spider guys to discover this problem. It would be more helpful if they named/shamed the companies that are exploiting this.

Anyone have this info?

Which ad analytics companies are using this? (1)

djdanlib (732853) | about 2 years ago | (#42264753)

Which ad analytics companies are using this? I read all the linked material and all I see is some lofty assertion that two companies are already using it. Name and shame them, would you please?

All browsers are effected. (1)

Anonymous Coward | about 2 years ago | (#42264839)

This is not news.

exploited for what? (2)

Twillerror (536681) | about 2 years ago | (#42264843)

I want this patched, but I'm very curious as to how this really compromises anything.

I can see how it can affect virtual keyboards. Who exactly is this market? People using IE and using Virtual keyboards for security reasons? Can we have a slashdot poll of virtual keyboards users and there favorite browser.

It says these ad sites are using the data. What exactly does this give them...maybe the fact that I click the start button at 10:01 A.M. every day? Otherwise it is just random X,Y coords without knowing what app has focus.

Re:exploited for what? (0)

Anonymous Coward | about 2 years ago | (#42265269)

Well. Say I'm hawking advertisements. I know where your mouse pointer is. I know you're about to close my ad. So, I move the ad to somewhere else on the screen. I can see how it can be used for nuisance value.

Pointer Lock API (1)

jimshatt (1002452) | about 2 years ago | (#42264861)

Couldn't something similar be achieved using the Pointer Lock API [mozilla.org] , as implemented by Firefox and Webkit browsers?

Re:Pointer Lock API (1)

hobarrera (2008506) | about 2 years ago | (#42265235)

I belive this only provides mouse movement data while the window hace focus.

Exploit virtual keyboards? Good luck with that. (0)

Anonymous Coward | about 2 years ago | (#42264877)

OH, yeah, sure, exploit those virtual keyboards.

First you have to go through the noise of mouse movements, then you have to map that to a possible offset of where the virtual keyboard could be in order to actually get useful information.
Do you know how insanely hard that would be even in optimal conditions?
They likely clicked almost exactly in the middle of each of said keys in order to make it very easy to prove a point. That never happens in real life, half the time people misclick the damn keys on the things.
And considering a person who would even be using an on-screen keyboard, FAR MORE LIKELY TO MISS. I knew several people who had to use them due to disabilities and it ain't an easy job even with the on-screen keyboard and a mouse.
Why the on-screen keyboards have no key-browse mode that moves the focus to another key as you move the mouse in a direction is beyond me, that would be considerably more useful for the uses it would actually be needed for!
And it also wouldn't be anywhere near as exploitable as this is.

They just can't get anything right... (1)

UltraZelda64 (2309504) | about 2 years ago | (#42265407)

Microsoft headed off to a good start by enabling the joke that is the DNT header by default. And now... the same kind of ridiculously bad exploits that Internet Explorer has been known for since its beginning re-emerge like a bad case of the varicella zoster virus and shit all over it.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>