A security flaw in Kaspersky antivirus leaves millions of users exposed to online hack
A security journalist Ronald Eikenberg at German computer magazine C’T revealed that a flaw in Kaspersky antivirus software allowed third parties to spy on its millions of users for years – even in the browser’s Incognito Mode or when you use a different browser such as Chrome, Firefox, or Edge.
“That’s a remarkably bad idea,” Eikenberg explained. “Other scripts running in the context of the website domain can access the entire HTML source any time, which means they can read the Kaspersky ID. In other words, any website can read the user’s Kaspersky ID and use it for tracking. If the same Universally Unique Identifier comes back or appears on another website of the same operator, they can see that the same computer is being used.”
Eikenberg confirmed that the flaw was found in all versions of Kaspersky antivirus software that was released after late 2015.
“My inquiries revealed that the leak was introduced with Kaspersky’s ‘2016’ editions, released in the Autumn of 2015. And the UUID wasn’t hidden. If I was able to find it by happenstance, various people, from eager marketers to malicious attackers may have been exploiting it for almost four years,” he added. “Several million users must have been exposed overall.”
Kaspersky, for its part, fixed the flaw this June and also issued an advisory in regards to the risk a month later. However, the company downplayed the risk posed by the behavior of the tracking ID as a minor flaw.
“Kaspersky has modified the method of checking webpages for malicious process by way of disposing of the use of distinctive identifiers for the GET requests. This transformation was once made after Ronald Eikenberg reported to us that the usage of distinctive identifiers for the GET requests can doubtlessly result in the disclosure of a consumer’s non-public knowledge.
“After our inside analysis, we’ve got concluded that such situations of consumer’s privateness compromise are theoretically imaginable however are not likely to be performed in apply, because of their complexity and coffee profitability for cybercriminals. Nonetheless, we’re continuously running on making improvements to our applied sciences and merchandise, leading to a metamorphosis on this procedure.
“We would love to thank Ronald Eikenberg for reporting this to us,” Kaspersky said.