We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,259 News Articles

Internet Explorer flaw gives ad trackers a sneaky edge -- for now

The security company Spider.io has found advertising analytics companies are using the flaw to measure ad views

Some advertising analytics companies are using a vulnerability in Microsoft's Internet Explorer browser for a questionable edge in figuring out if web users are actually seeing display advertisements buried within web pages.

The flaw, if fixed by Microsoft, could take away a metric called "viewability," which is helping companies decide where to spend their sought-after advertising budgets on display ads with only the most productive of publishers.

Spider.io, a U.K.-based security company, published details of the vulnerability on Wednesday. But the flaw has been used for some time by at least two major advertising analytics companies in the course of business, said Spider.io CEO Douglas de Jager.

Display advertising is hoped to be a rich source of revenue for publishers. But not many people actually click on display ads, which makes it harder to measure whether the ads are having an impact on customers. Display ads are usually sold for a fee per one thousand impressions, known as CPM.

Display ads may be shown further down a web page where a user never scrolls. The flaw in Internet Explorer allows advertising networks to serve ads rigged with special JavaScript code in order to figure out if an ad has actually been seen, which is much more useful information for advertisers.

Advertisers want to know if their ad has fallen within the "viewport," or the viewing area of a browser where a person sees content, which is smaller than the real size of a web page.

But advertisers don't know the position of their ad relative to the host web page. For security reasons, advertisements are prevented from running JavaScript code on the host web page that would send the coordinates for the ad.

Browsers such as Chrome and Safari are capable of delivering information on the position of an ad relative to the screen. With that information, advertisers could figure out if the ad is actually within the user's viewport. But that capability is turned off in those browsers for a variety of security-related reasons.

IE also does not reveal screen information. But IE's flaw reveals the position of the cursor relative to the advertisement and the position of the cursor relative to the screen. Whether the ad is visible in the viewport can be calculated by triangulating, according to a video from Spider.io.

Spider.io's de Jager said this "viewability" metric is being used by at least two major advertising analytics companies to blacklist publishers whose display ads are not seen.

"They use this viewability data for who is a good publisher and who is a bad publisher," said de Jager in a phone interview from London on Thursday. "This is being used by the savviest of the performance marketers in the display advertising world."

It means that those marketers could stand to make more money since they are delivering what would be considered higher quality ad inventory.

Spider.io said it notified Microsoft of the problem on Oct. 1, which acknowledged the issue but said it didn't have immediate plans to patch it. The problem affects all Microsoft browser versions going back to IE6.

Microsoft officials did not have an immediate comment on Thursday.

Spider.io discovered the problem within the course of its security work and then later found out it was actually being used in order to track advertisements, de Jager said.

He said he recently had a conversation with a major ad analytics company in New York that was aware of the flaw. The company, he said, chose not to use the problem for its ad tracking but was having to explain to clients why they were not using it to measure viewability.

"It is an industry in flux at the moment," de Jager said. "It's an IP [intellectual property] battle on who can deliver that new metric."

As long as users keep the exploitive display advertisement open, no matter if the browser is minimized, their mouse movements anywhere on a screen can be tracked.

It also has other risks: it could allow an attacker to collect information typed into a software or virtual keyboard, which are sometimes used to prevent people from typing on a real keyboard, avoiding malicious software that record keystrokes.

Send news tips and comments to [email protected] Follow me on Twitter: @jeremy_kirk


IDG UK Sites

Best Black Friday 2014 tech deals: Get bargains on smartphones, tablets, laptops and more

IDG UK Sites

What the Internet of Things will look like in 2015: homes will get smarter, people might get fitter

IDG UK Sites

See how Trunk's animated ad helped Ade Edmondson plug The Car Buying Service

IDG UK Sites

Yosemite tips: Complete Guide to OS X Yosemite