A flaw in Kaspersky Antivirus allowed tracking its users online

A vulnerability in Kaspersky Antivirus had exposed a unique identifier associated with users to every website they have visited in the past 4 years.

A vulnerability in the Kaspersky Antivirus software, tracked as CVE-2019-8286, had exposed a unique identifier associated with its users to every website they have visited in the past 4 years. The exposure of this identifier allowed visited websites and commercial third-party services to track users online.

The bad news is that users might have been exposed to cross-site tracking even if they have blocked or deleted cookies.

The vulnerability was discovered by the security researcher Ronald Eikenberg, it resides in the URL scanning module, called Kaspersky URL Advisor, of the antivirus software.

Kaspersky Internet security solution injects a remotely-hosted JavaScript file directly into the HTML code of every web page visited by its users to check if the page is blacklisted for some reason (i.e. the page belongs to a list of phishing web domains).

Analyzing the string of the URL of the JavaScript, Eikenberg discovered that it was containing a unique string for every Kaspersky user that could be used to track it. The string could be easily used by websites, advertising, and analytics services to track users online.

“My first examination of Kaspersky’s script main.js showed me that, among other things, it displays green icons with Google search results if Kaspersky believes the relevant link to lead to a clean website.” reads the post published by the expert. “This could have been the end of my analysis, but there was this one small detail: The address from which the Kaspersky script was loaded contained a suspicious string:

https://gc.kis.v2.scr.kaspersky-labs.com/9344FDA7-AFDF-4BA0-A915-4D7EEB9A6615/main.js

The part marked bold has a characteristic pattern. The structure matches a so-called Universally Unique Identifier (UUID). These IDs are used to make things, well, uniquely identifiable”

Eikenberg installed the Kaspersky antivirus software on other computers and discovered that UUID in the source address was different on each of them. He also noticed that the IDs were persistent and did not change over time. This means that the ID was permanently associated with each system running Kaspersky Antivirus.

“That’s a remarkably bad idea. Other scripts running in the context of the website domain can access the entire HTML source any time, which means they can read the Kaspersky ID.

In other words, any website can read the user’s Kaspersky ID and use it for tracking. If the same Universally Unique Identifier comes back, or appears on another website of the same operator, they can see that the same computer is being used.” continues the post. “If this assumption is correct, Kaspersky has created a dangerous tracking mechanism that makes tracking cookies look old. In that case, websites can track Kaspersky users, even if they switch to a different browser. Worse yet, the super tracking can even overcome the browser’s incognito mode.”

Eikenberg reported the issue to Kaspersky that addressed it in July. Now the same value (FD126C42-EBFA-4E12-B309-BB3FDD723AC1) is assigned for all users.

“Kaspersky has fixed a security issue (CVE-2019-8286) in its products that could potentially compromise user privacy by using unique product id which was accessible to third parties.” reads the advisory published by Kaspersky. “This issue was classified as User Data disclosure. The attacker has to prepare and deploy a malicious script on the web servers from where he will track the user.”

Affected products are:

• Kaspersky Anti-Virus up to 2019
• Kaspersky Internet Security up to 2019
• Kaspersky Total Security up to 2019
• Kaspersky Free Anti-Virus up to 2019
• Kaspersky Small Office Security up to 6

Experts pointed out that Kaspersky URL Advisor feature still allows checking if a visitor has Kaspersky Antivirus software installed on his computers, an information that could be used by scammers in various ways.

“That is actually valuable information to an attacker. They may use that information to distribute malware tailored to the protection software, or to redirect the browser to a suitable scamming page.” concludes the expert. “Imagine something along the lines of “Your Kaspersky license has expired. Please enter your credit card number to renew your subscription”. Of course I have reported this problem to Kaspersky as well.”

If you want to disable the URL Advisor feature from settings→ additional→ network→ un-check traffic processing box.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – CVE-2019-8286, Kaspersky Antivirus)

[adrotate banner=”5″]

[adrotate banner=”13″]