On-screen keyboard and keypady traditionally considered the most effective means of protection against malicious software - 'keyloggers' that can log your keystrokes and thus capture passwords and other confidential data entered from the normal keyboard. However, web analytics website Spider.io found that the virtual keyboard does not guarantee the desired security if to open that page using any modern web browser Internet Explorer (IE from IE 6 to 10).
Vulnerabilities danger lies in the fact that its use does not require any additional software, and successfully identified the location of the cursor in the browser, even if the application window has been minimized by the user. All you have to do an attacker - is to buy ad space on the site you visit often, after which he will be able to follow the movements of the mouse as long as the tab is still open to advertising.
Staff research firm reported Vulnerabilities representatives of Microsoft in October of this year, but only now the news became public. Experts from the research center Microsoft Security Research Centre recognized the vulnerability, but said that the release of the corresponding patch does not appear in the immediate plans of the company.
Make sure you have this vulnerability will allow you a simple and intuitive test, published online http://iedataleak.spider.io/demo (link should be opened in a browser window, IE). According to experts, the vulnerability is already being used pair analysis companies to measure the effectiveness of advertising on Web pages. It is possible that in the future, found 'gap' will be used in a less benign purposes. For example, victims of fraud may be site visitors using the onscreen keyboard to enter confidential information.
It should, however, mention that use vulnerabilities for successful attacks and can provide useful information only if certain specific conditions are met: the hacker needs to know what site the user visits (or with any web application it works), as well as a good understanding of design page.
Link: http://www.wired.co.uk/news/archive/2012-12/12/ie-vulnerability-mouse-tracking
No comments:
Post a Comment