Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Kaspersky Makes Changes After Products Raise Privacy Concerns

Kaspersky has made some changes to the way its products check web pages for malicious activity after a researcher discovered an issue that could have been exploited to track users online.

Kaspersky has made some changes to the way its products check web pages for malicious activity after a researcher discovered an issue that could have been exploited to track users online.

Ronald Eikenberg of Germany’s c’t magazine discovered that Kaspersky security software checked webpages by injecting a script that loaded JavaScript code from the cybersecurity firm’s servers. The main problem with this script was that the URL from which the code was loaded contained an identifier that was unique and permanently assigned to each device.

The script and the URL were loaded into the source code of each website visited by the user and the unique ID could have been easily read by each website, regardless of the browser used and if it was in incognito mode.

Eikenberg set up a test website that demonstrated how a malicious site could track a device based on Kaspersky’s unique identifier.

“Any website can read the user’s Kaspersky ID and use it for tracking,” Eikenberg explained. “If the same Universally Unique Identifier comes back, or appears on another website of the same operator, they can see that the same computer is being used. If this assumption is correct, Kaspersky has created a dangerous tracking mechanism that makes tracking cookies look old. In that case, websites can track Kaspersky users, even if they switch to a different browser.”

The vulnerability, tracked as CVE-2019-8286, has been found to affect Kaspersky Anti-Virus up to 2019, Internet Security up to 2019, Total Security up to 2019, Free Anti-Virus up to 2019, and Small Office Security up to version 6. Patch F, which addresses the issue, was automatically pushed out to users in early June.

“Kaspersky has changed the process of checking web pages for malicious activity by removing the usage of unique identifiers for the GET requests,” Kaspersky told SecurityWeek. “This change was made after Ronald Eikenberg reported to us that using unique identifiers for the GET requests can potentially lead to the disclosure of a user’s personal information.”

The company added, “After our internal research, we have concluded that such scenarios of user’s privacy compromise are theoretically possible but are unlikely to be carried out in practice, due to their complexity and low profitability for cybercriminals. Nevertheless, we are constantly working on improving our technologies and products, resulting in a change in this process.”

According to Eikenberg, Kaspersky still injects a script with an ID into every visited website, but the identifier is now the same for all users of a specific Kaspersky product and version.

“A website can no longer recognize individual users. However, that means it is still possible to find out if a visitor has installed Kaspersky software on their system and how old that software is,” Eikenberg said.

“That is actually valuable information to an attacker. They may use that information to distribute malware tailored to the protection software, or to redirect the browser to a suitable scamming page. Imagine something along the lines of ‘Your Kaspersky license has expired. Please enter your credit card number to renew your subscription’,” the researcher added.

Related: Kaspersky Patches Vulnerabilities in Secure Mail Gateway

Related: Remote Code Execution Flaw Found in Kaspersky Products

Related: Kaspersky VPN Bug Leaked DNS Lookups

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.