IE vulnerability allows attackers to track mouse cursor, even if IE window is inactive

Internaut often use virtual keyboard while typing their password in order to protect their data from being stolen from Keyloggers. It seems like a new bug in IE makes the virtual keyboard insecure.

A security researcher from Spider.io claimed to have discovered a security flaw in the Internet Explorer versions 6 through 10, could allow hackers to track user's mouse movements , even if the IE window is minimized.

"Internet Explorer’s event model populates the global Event object with some attributes relating to mouse events, even in situations where it should not. " Explained in the Spider.io.


"Combined with the ability to trigger events manually using the fireEvent() method, this allows JavaScript in any webpage (or in any iframe within any webpage) to poll for the position of the mouse cursor anywhere on the screen and at any time—even when the tab containing the page is not active, or when the Internet Explorer window is unfocused or minimized. The fireEvent() method also exposes the status of the control, shift and alt keys."

The Demo of the bug can be found here:
http://iedataleak.spider.io/demo

They have also created a game(iedataleak.spider.io) to illustrate how easily this security vulnerability in Internet Explorer may be exploited to compromise the security of virtual keyboards and virtual keypads.