A vulnerability in Kaspersky Antivirus exposed a unique identifier associated with users to every website
Vulnerability in the Kaspersky Antivirus software, tracked as CVE-2019-8286, had exposed a unique identifier associated with its users to every website they have visited in the past 4 years. The exposure of this identifier allowed visited websites and commercial third-party services to track users online.
The bad news is that users might have been exposed to cross-site tracking even if they have blocked or deleted cookies. The vulnerability was discovered by the security researcher Ronald Eikenberg, it resides in the URL scanning module, called Kaspersky URL Advisor, of the antivirus software.
Kaspersky Internet security solution injects a remotely-hosted JavaScript file directly into the HTML code of every web page visited by its users to check if the page is blacklisted for some reason .
Analyzing the string of the URL of the JavaScript, Eikenberg discovered that it was containing a unique string for every Kaspersky user that could be used to track it. The string could be easily used by websites, advertising, and analytics services to track users online.
“My first examination of Kaspersky’s script main.js showed me that, among other things, it displays green icons with Google search results if Kaspersky believes the relevant link to lead to a clean website.” reads the post published by the expert. “This could have been the end of my analysis, but there was this one small detail: The address from which the Kaspersky script was loaded contained a suspicious string:
https://gc.kis.v2.scr.kaspersky-labs.com/9344FDA7-AFDF-4BA0-A915-4D7EEB9A6615/main.js
The part marked bold has a characteristic pattern. The structure matches a so-called Universally Unique Identifier (UUID). These IDs are used to make things, well, uniquely identifiable”
Eikenberg installed the Kaspersky antivirus software on other computers and discovered that UUID in the source address was different on each of them. He also noticed that the IDs were persistent and did not change over time. This means that the ID was permanently associated with each system running Kaspersky Antivirus. The report says.
“That’s a remarkably bad idea. Other scripts running in the context of the website domain can access the entire HTML source any time, which means they can read the Kaspersky ID.
Eikenberg reported the issue to Kaspersky that addressed it in July. Now the same value (FD126C42-EBFA-4E12-B309-BB3FDD723AC1) is assigned for all users.
“Kaspersky has fixed a security issue (CVE-2019-8286) in its products that could potentially compromise user privacy by using unique product id which was accessible to third parties.” reads the advisory published by Kaspersky. “This issue was classified as User Data disclosure. The attacker has to prepare and deploy a malicious script on the web servers from where he will track the user.”
Experts pointed out that Kaspersky URL Advisor feature still allows checking if a visitor has Kaspersky Antivirus software installed on his computers, an information that could be used by scammers in various ways.
See What’s Next in Tech With the Fast Forward Newsletter
Tweets From @varindiamag
Nothing to see here - yet
When they Tweet, their Tweets will show up here.