When malware attacks become more sophisticated, antivirus software vendors need to improvise in order to protect their customers.
On of which, is Kaspersky, the Russian cybersecurity company popular for its antivirus solutions. Here, the company goes to great length to even scan websites which are opened by its customers' machines in order to find malware.
But this has issues, as explained by Ronald Eikenberg, a German journalist working for c't Magazin.
Notice the bold letter-number combination which represents users' Universally Unique Identifier (UUID).
According to Eikenberg on his English version of his article:
"Other scripts running in the context of the website domain can access the entire HTML source any time, which means they can read the Kaspersky ID. In other words, any website can read the user's Kaspersky ID and use it for tracking."
The tech industry calls this method Kaspersky used, as 'cross-site tracking'.
While the software did this for protecting users, the the company as well make itself able to track users for years. This is considered a bad practice when concerning user privacy.
While users could certainly disable this Kaspersky ID injection by going into their Kaspersky software setting, and uncheck the 'Inject script into web traffic to interact with web pages', this method was unfortunately turned on by default.
Eikenberg explained that:
"In other words, any website can read the user's Kaspersky ID and use it for tracking."
"If the same Universally Unique Identifier comes back, or appears on another website of the same operator, they can see that the same computer is being used."
Of course, "that is actually valuable information to an attacker," Eikenberg added. "They may use that information to distribute malware tailored to the protection software, or to redirect the browser to a suitable scamming page."
Eikenberg notified Kaspersky of the problem, and after a couple of weeks, the company confirmed that the issue existed on all versions of Kaspersky antivirus software, ranging from Kaspersky Free Anti-Virus to Kaspersky Total Security, dating back to the fall of 2015.
"Several million users must have been exposed" overall, Eikenberg reasoned.
The company fixed the issue in June 2019, by releasing a security patch to all affected Kaspersky products, and published a security advisory alerting its customers of the flaw.
Here is Kaspersky's statement concerning the issue:
"This change was made after Ronald Eikenberg reported to us that using unique identifiers for the GET requests can potentially lead to the disclosure of a user's personal information."
"After our internal research, we have concluded that such scenarios of user's privacy compromise are theoretically possible but are unlikely to be carried out in practice, due to their complexity and low profitability for cybercriminals. Nevertheless, we are constantly working on improving our technologies and products, resulting in a change in this process."
"We'd like to thank Ronald Eikenberg for reporting this to us."