A security flaw in Kaspersky antivirus leaves millions of users exposed to online hack
A security journalist Ronald Eikenberg at German computer magazine C’T revealed that a flaw in Kaspersky antivirus software allowed third parties to spy on its millions of users for years – even in the browser’s Incognito Mode or when you use a different browser such as Chrome, Firefox, or Edge.
According to an article titled “Kasper-Spy: Kaspersky Anti-Virus puts users at risk published in the magazine on Thursday, Kaspersky AV software inserted a Universally Unique Identifier (UUID) into the JavaScript code of every browser a user visited without their consent. The website operator too could view the code and identifier.
“That’s a remarkably bad idea,” Eikenberg explained. “Other scripts running in the context of the website domain can access the entire HTML source any time, which means they can read the Kaspersky ID. In other words, any website can read the user’s Kaspersky ID and use it for tracking. If the same Universally Unique Identifier comes back or appears on another website of the same operator, they can see that the same computer is being used.”
Eikenberg confirmed that the flaw was found in all versions of Kaspersky antivirus software that was released after late 2015.
“My inquiries revealed that the leak was introduced with Kaspersky’s ‘2016’ editions, released in the Autumn of 2015. And the UUID wasn’t hidden. If I was able to find it by happenstance, various people, from eager marketers to malicious attackers may have been exploiting it for almost four years,” he added. “Several million users must have been exposed overall.”
According to Eikenberg, the company has been injecting JavaScript code via its various products, including Kaspersky Lab Internet Security and Kaspersky Lab Free Anti-Virus.
Kaspersky, for its part, fixed the flaw this June and also issued an advisory in regards to the risk a month later. However, the company downplayed the risk posed by the behavior of the tracking ID as a minor flaw.
“Kaspersky has modified the method of checking webpages for malicious process by way of disposing of the use of distinctive identifiers for the GET requests. This transformation was once made after Ronald Eikenberg reported to us that the usage of distinctive identifiers for the GET requests can doubtlessly result in the disclosure of a consumer’s non-public knowledge.
“After our inside analysis, we’ve got concluded that such situations of consumer’s privateness compromise are theoretically imaginable however are not likely to be performed in apply, because of their complexity and coffee profitability for cybercriminals. Nonetheless, we’re continuously running on making improvements to our applied sciences and merchandise, leading to a metamorphosis on this procedure.
“We would love to thank Ronald Eikenberg for reporting this to us,” Kaspersky said.
Those who are worried about the security risks can head to settings of the Kaspersky Antivirus software. Then navigate to Additional/Network, going to Traffic Processing and uncheck “Inject script into web traffic to interact with web pages” to turn off the JavaScript injection.
