Kaspersky Inadvertently Exposed Millions Of Web Visitors To Web Trackers

When malware attacks become more sophisticated, antivirus software vendors need to improvise in order to protect their customers.

On of which, is Kaspersky, the Russian cybersecurity company popular for its antivirus solutions. Here, the company goes to great length to even scan websites which are opened by its customers' machines in order to find malware.

But this has issues, as explained by Ronald Eikenberg, a German journalist working for c't Magazin.

Here, he detailed how the Kaspersky software installed on a test laptop, injected JavaScript code on all web pages rendered on every browser on the device.

The code for the JavaScript which was found on the HTML source code of web pages, was:

https://gc.kis.v2.scr.kaspersky-labs.com/9344FDA7-AFDF-4BA0-A915-4D7EEB9A6615/main.js.

Notice the bold letter-number combination which represents users' Universally Unique Identifier (UUID).

According to Eikenberg on his English version of his article:

"That's a remarkably bad idea."

"Other scripts running in the context of the website domain can access the entire HTML source any time, which means they can read the Kaspersky ID. In other words, any website can read the user's Kaspersky ID and use it for tracking."

The tech industry calls this method Kaspersky used, as 'cross-site tracking'.

While the software did this for protecting users, the the company as well make itself able to track users for years. This is considered a bad practice when concerning user privacy.

And making things worse, the JavaScript contained a unique ID number that was replicated in every page rendered on a single machine. And this ID was exposed to any website that Kaspersky users visited.

While users could certainly disable this Kaspersky ID injection by going into their Kaspersky software setting, and uncheck the 'Inject script into web traffic to interact with web pages', this method was unfortunately turned on by default.

To prove how invasive this JavaScript, Eikenberg set up a website that would read the Kaspersky ID of visiting computers, to then display it back to them. Eikenberg asked his colleagues to browse to his site, and found that they can see his ID plain and clear.

Eikenberg explained that:

"From that moment on, my test page greeted them personally whenever they opened the site - no matter which browser they used or how often they deleted cookies. Even the incognito mode did not offer any protection against my Kaspersky-infused tracking. At this point, it was clear that this was a serious security issue."

"In other words, any website can read the user's Kaspersky ID and use it for tracking."

"If the same Universally Unique Identifier comes back, or appears on another website of the same operator, they can see that the same computer is being used."

Of course, "that is actually valuable information to an attacker," Eikenberg added. "They may use that information to distribute malware tailored to the protection software, or to redirect the browser to a suitable scamming page."

Kaspersky

Eikenberg notified Kaspersky of the problem, and after a couple of weeks, the company confirmed that the issue existed on all versions of Kaspersky antivirus software, ranging from Kaspersky Free Anti-Virus to Kaspersky Total Security, dating back to the fall of 2015.

"Several million users must have been exposed" overall, Eikenberg reasoned.

The company fixed the issue in June 2019, by releasing a security patch to all affected Kaspersky products, and published a security advisory alerting its customers of the flaw.

Here is Kaspersky's statement concerning the issue:

"Kaspersky has changed the process of checking web pages for malicious activity by removing the usage of unique identifiers for the GET requests."

"This change was made after Ronald Eikenberg reported to us that using unique identifiers for the GET requests can potentially lead to the disclosure of a user's personal information."

"After our internal research, we have concluded that such scenarios of user's privacy compromise are theoretically possible but are unlikely to be carried out in practice, due to their complexity and low profitability for cybercriminals. Nevertheless, we are constantly working on improving our technologies and products, resulting in a change in this process."

"We'd like to thank Ronald Eikenberg for reporting this to us."

Published: 
16/08/2019