Virtual Event Today: Cloud & Data Security Summit - Join Event In-Progress
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Kaspersky Makes Changes After Products Raise Privacy Concerns

Kaspersky has made some changes to the way its products check web pages for malicious activity after a researcher discovered an issue that could have been exploited to track users online.

Kaspersky has made some changes to the way its products check web pages for malicious activity after a researcher discovered an issue that could have been exploited to track users online.

Ronald Eikenberg of Germany’s c’t magazine discovered that Kaspersky security software checked webpages by injecting a script that loaded JavaScript code from the cybersecurity firm’s servers. The main problem with this script was that the URL from which the code was loaded contained an identifier that was unique and permanently assigned to each device.

The script and the URL were loaded into the source code of each website visited by the user and the unique ID could have been easily read by each website, regardless of the browser used and if it was in incognito mode.

Eikenberg set up a test website that demonstrated how a malicious site could track a device based on Kaspersky’s unique identifier.

“Any website can read the user’s Kaspersky ID and use it for tracking,” Eikenberg explained. “If the same Universally Unique Identifier comes back, or appears on another website of the same operator, they can see that the same computer is being used. If this assumption is correct, Kaspersky has created a dangerous tracking mechanism that makes tracking cookies look old. In that case, websites can track Kaspersky users, even if they switch to a different browser.”

The vulnerability, tracked as CVE-2019-8286, has been found to affect Kaspersky Anti-Virus up to 2019, Internet Security up to 2019, Total Security up to 2019, Free Anti-Virus up to 2019, and Small Office Security up to version 6. Patch F, which addresses the issue, was automatically pushed out to users in early June.

Advertisement. Scroll to continue reading.

“Kaspersky has changed the process of checking web pages for malicious activity by removing the usage of unique identifiers for the GET requests,” Kaspersky told SecurityWeek. “This change was made after Ronald Eikenberg reported to us that using unique identifiers for the GET requests can potentially lead to the disclosure of a user’s personal information.”

The company added, “After our internal research, we have concluded that such scenarios of user’s privacy compromise are theoretically possible but are unlikely to be carried out in practice, due to their complexity and low profitability for cybercriminals. Nevertheless, we are constantly working on improving our technologies and products, resulting in a change in this process.”

According to Eikenberg, Kaspersky still injects a script with an ID into every visited website, but the identifier is now the same for all users of a specific Kaspersky product and version.

“A website can no longer recognize individual users. However, that means it is still possible to find out if a visitor has installed Kaspersky software on their system and how old that software is,” Eikenberg said.

“That is actually valuable information to an attacker. They may use that information to distribute malware tailored to the protection software, or to redirect the browser to a suitable scamming page. Imagine something along the lines of ‘Your Kaspersky license has expired. Please enter your credit card number to renew your subscription’,” the researcher added.

Related: Kaspersky Patches Vulnerabilities in Secure Mail Gateway

Related: Remote Code Execution Flaw Found in Kaspersky Products

Related: Kaspersky VPN Bug Leaked DNS Lookups

Written By

Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

N-able has appointed Russell Rosa as Chief Revenue Officer.

Stacy O'Mara has joined Armadin as Chief Policy Officer and Director of Global Government Affairs.

F5 has appointed Cathy Peterman as Chief People Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.