The companies provide advertising analytics for billions of web page views every month, for hundreds of billions of adverts, says Doug de Jager, chief executive of spider.io, a London-based analytics firm which discovered the flaw.
"The vulnerability is being exploited rather mischievously by these companies to measure the viewability of display ads - arguably the hot topic in display advertising at the moment," de Jager told the Guardian. "Almost every US-based user of Internet Explorer will have their mouse cursor tracked via this exploit almost every day they browse the web."
The flaw means that a user's cursor can be tracked anywhere on the screen even if the browser window isn't active.
But Microsoft has said that it does not consider the vulnerability sufficiently important to merit an urgent security patch. "We are currently investigating this issue, but to date there are no reports of active exploits or customers that have been adversely affected," Microsoft said in a statement, adding that it would take "appropriate action to protect our customers".
De Jager insists that that is complacent - and wrong. He says that his company notified one of the companies which is using the flaw on 27 September, but has so far received no response. He also told Microsoft about the flaw on 1 October, and the company wrote back 11 days later saying that it had been able to reproduce the hack - but that it was still discussing the security implications.
De Jager has now decided to go public with it to prompt action.
The attacks can be triggered by display advertising on any website; if that page is open in the browser the movements of the mouse can be tracked. It also means that people using "virtual" keyboards and keypads in Internet Explorer, for example on tablets, would be vulnerable.
Malicious hackers might also be able to use the vulnerability, says de Jager: by watching where someone goes on a virtual keyboard, they could work out a credit card number and other personal details.. "Having deciphered credit-card details, email address and telephone numbers, no more work needs to be done. Credit-card details would be used. Email address and telephone number would be sold to companies exploiting contact details – spammers and others.
"The next step would be to find the site/application to which these login details apply. This is typically done in brute-force fashion, by testing the login details on as many sites/applications as one can. One can reduce the number of sites/applications to which login details might apply by geolocating the IP address of the user whose login details have been compromised. By doing this, one might know that a user is based in Barcelona, and so the most likely sites/applications are unlikely to include a Californian bank, for example."
guardian.co.uk © Guardian News and Media Limited 2010
image: © The Next Web