Brother
Professional
- Messages
- 2,590
- Reaction score
- 544
- Points
- 113
Ronald Eikenberg, editor of the German magazine c't, discovered that Kaspersky Lab security products told websites and other services a unique ID for each user, by which the victim could be successfully tracked.
Eikenberg PoC
The vulnerability was assigned the identifier CVE-2019-8286, and it affected solutions such as Kaspersky Anti-Virus (up to version 2019), Internet Security (up to version 2019), Total Security (up to version 2019), Free Anti- Virus (up to version 2019) and Small Office Security (up to version 6).
The root of the problem was that the vendor's security solutions scan web pages by injecting a script into them that downloads JavaScript from the company's servers. This script is intended, for example, to warn users about which search results may be dangerous.
Alas, the URL from which the script was loaded contained an ID that was unique to each user. As a result, this unique ID could be easily read by any site, regardless of the browser used and the inclusion of incognito mode. In fact, this made it possible to follow the user on the network, even if he switched to another browser.
Eikenberg believes that marketers, attackers and companies that specialize in profiling site visitors may have discovered this bug many years ago and have successfully used it for a long time, but the researcher has no evidence of this.
The developers of Kaspersky Lab fixed the problem back in July this year. For example, the ID still exists, but now it is the same for all users of certain products, so it can no longer be used to track individual people.
However, Eikenberg believes that even in its current form, the ID can be dangerous. After all, sites can still see whether a visitor has a Kaspersky Lab security solution installed and which version.
Eikenberg PoC
The vulnerability was assigned the identifier CVE-2019-8286, and it affected solutions such as Kaspersky Anti-Virus (up to version 2019), Internet Security (up to version 2019), Total Security (up to version 2019), Free Anti- Virus (up to version 2019) and Small Office Security (up to version 6).
The root of the problem was that the vendor's security solutions scan web pages by injecting a script into them that downloads JavaScript from the company's servers. This script is intended, for example, to warn users about which search results may be dangerous.
Alas, the URL from which the script was loaded contained an ID that was unique to each user. As a result, this unique ID could be easily read by any site, regardless of the browser used and the inclusion of incognito mode. In fact, this made it possible to follow the user on the network, even if he switched to another browser.
Eikenberg believes that marketers, attackers and companies that specialize in profiling site visitors may have discovered this bug many years ago and have successfully used it for a long time, but the researcher has no evidence of this.
The developers of Kaspersky Lab fixed the problem back in July this year. For example, the ID still exists, but now it is the same for all users of certain products, so it can no longer be used to track individual people.
However, Eikenberg believes that even in its current form, the ID can be dangerous. After all, sites can still see whether a visitor has a Kaspersky Lab security solution installed and which version.
Kaspersky Lab experts say that such attacks are theoretically possible, but are unlikely to be implemented in practice due to their high complexity and low profitability for cybercriminals. However, if desired, users can disable the Kaspersky URL Advisor in the settings, although this will affect the functionality of other product components.
