Kaspersky has made some changes to the way its products check web pages for malicious activity after a researcher discovered an issue that could have been exploited to track users online.
Ronald Eikenberg of Germany’s c’t magazine discovered that Kaspersky security software checked webpages by injecting a script that loaded JavaScript code from the cybersecurity firm’s servers. The main problem with this script was that the URL from which the code was loaded contained an identifier that was unique and permanently assigned to each device.
The script and the URL were loaded into the source code of each website visited by the user and the unique ID could have been easily read by each website, regardless of the browser used and if it was in incognito mode.
Eikenberg set up a test website that demonstrated how a malicious site could track a device based on Kaspersky’s unique identifier.
“Any website can read the user’s Kaspersky ID and use it for tracking,” Eikenberg explained. “If the same Universally Unique Identifier comes back, or appears on another website of the same operator, they can see that the same computer is being used. If this assumption is correct, Kaspersky has created a dangerous tracking mechanism that makes tracking cookies look old. In that case, websites can track Kaspersky users, even if they switch to a different browser.”
The vulnerability, tracked as CVE-2019-8286, has been found to affect Kaspersky Anti-Virus up to 2019, Internet Security up to 2019, Total Security up to 2019, Free Anti-Virus up to 2019, and Small Office Security up to version 6. Patch F, which addresses the issue, was automatically pushed out to users in early June.
“Kaspersky has changed the process of checking web pages for malicious activity by removing the usage of unique identifiers for the GET requests,” Kaspersky told SecurityWeek. “This change was made after Ronald Eikenberg reported to us that using unique identifiers for the GET requests can potentially lead to the disclosure of a user’s personal information.”
The company added, “After our internal research, we have concluded that such scenarios of user’s privacy compromise are theoretically possible but are unlikely to be carried out in practice, due to their complexity and low profitability for cybercriminals. Nevertheless, we are constantly working on improving our technologies and products, resulting in a change in this process.”
According to Eikenberg, Kaspersky still injects a script with an ID into every visited website, but the identifier is now the same for all users of a specific Kaspersky product and version.
“A website can no longer recognize individual users. However, that means it is still possible to find out if a visitor has installed Kaspersky software on their system and how old that software is,” Eikenberg said.
“That is actually valuable information to an attacker. They may use that information to distribute malware tailored to the protection software, or to redirect the browser to a suitable scamming page. Imagine something along the lines of ‘Your Kaspersky license has expired. Please enter your credit card number to renew your subscription’,” the researcher added.
Related: Kaspersky Patches Vulnerabilities in Secure Mail Gateway
Related: Remote Code Execution Flaw Found in Kaspersky Products
Related: Kaspersky VPN Bug Leaked DNS Lookups
