HEAT Security Blog

Spider.io Warns of Massive IE Security Flaw; But is it Legit?

‘Twas a week before Christmas and all through the house, not a creature was stirring. Not even your ad tracked mouse

I have been reading posts on both sides of this mouse tracking issue (see here and here) and I am not yet convinced the sky is falling. This simply does not reach the level of concern as that of a Remote Code Exploit, for example.

Charging for banner ad clicks is big business today – and unfortunately so is creating fake clicks on ads using an automated bot. Firms use the technology that is the focus of Spider.io’s claims to determine if an ad click is actually from a user viewing the ad or from an automated bot. Because most online advertising is pay-per-click, it’s easy to see why reducing the number of false clicks is attractive to advertisers. This technology has therefore been designed into common browsers, including Google Chrome, Mozilla Firefox and Microsoft IE.

Digging a little deeper, it seems Google limits the tracking to a given tab and Mozilla limits it to a frame. The biggest difference I see is Microsoft doesn’t have those limits, though I suspect it’s something they’re looking into.

For the exploit Spider.io describes to work, the browser stars all seem to need to be in alignment to be able to target an individual. A hacker would need to know the users’ exact screen resolution, the location of the virtual keyboard and the key layout being used. Yes, in a lab environment, it can be made to look spectacular, but in the real world, I question just how much of a threat to users this really is. If you change any of the settings on your browser, this is no longer an issue. For example, my bank uses a randomized keyboard on my banking application, so it wouldn’t be an issue there. The only other device that I use with a virtual keyboard on is my iPad. I use ad blockers in my browser, and I simply do not visit my brokerage or banking sites from the iPad. There are other risks just from being on WiFI that preclude that use for me.

I can’t help but think that there is more to this story. For example, perhaps Spider.io, which is in the telemetry and adware business,does not use this technology and their competitors do. Maybe that’s costing Spider.io a little business. Perhaps some of this hype is being generated to try to steer some of that business back to Spider.io. Simply put, I fail to see how the issue ranks as a “Massive IE Security Flaw” and doubt it really brings about enough risk to warrant any form of an out of band patch from Microsoft.