Kaspersky Antivirus Flaw Exposed Users to Cross-Site Tracking Online
In this digital era, the success of almost every marketing, advertising, and analytics company drives through tracking users across the Internet to identify them and learn their interests to provide targeted ads.
Most of these solutions rely on 3rd-party cookies, a cookie set on a domain other than the one you are browsing, which allows companies including Google and Facebook to fingerprint you in order to track your every move across multiple sites.
However, if you're using Kaspersky Antivirus, a vulnerability in the security software had exposed a unique identifier associated with you to every website you visited in the past 4 years, which might have allowed those sites and other third-party services to track you across the web even if you have blocked or erased third-party cookies timely.
The vulnerability, identified as
CVE-2019-8286and discovered by independent security researcher Ronald Eikenberg, resides in the way a URL scanning module integrated into the antivirus software, called
Kaspersky URL Advisor, works.
By default, Kaspersky Internet security solution injects a remotely-hosted JavaScript file directly into the HTML code of every web page you visit—for all web browsers, even in incognito mode—in an attempt to check if the page belongs to the list of suspicious and phishing web addresses.
Well, it's no surprise, as most Internet security solutions work in the same way to monitor web pages for malicious content.
However, Eikenberg finds that the URL of this JavaScript file contains a string which is unique to every Kaspersky user, sort of a UUID (Universally Unique Identifier) that can easily be captured by websites, other third-party advertising and analytics services, putting its users privacy at risk.
"That's a bad idea because other scripts that run in the context of the website domain can access the HTML code at any time—and thus the injected Kaspersky ID. This means in plain language that any website can simply read the Kaspersky ID of the user and misuse it for tracking," the researcher says.
"The IDs were persistent and did not change after several days. This made it clear that an ID can be permanently assigned to a specific computer."
Eikenberg reported his findings to Kaspersky, who acknowledged the issue and patched it just last month by assigning a constant value (
FD126C42-EBFA-4E12-B309-BB3FDD723AC1) for all users instead of using UUID in the JavaScript URL.
"Kaspersky has fixed a security issue (CVE-2019-8286) in its products that could potentially compromise user privacy by using unique product id which was accessible to third parties," the company says in its
advisory.
"This issue was classified as User Data disclosure. The attacker has to prepare and deploy a malicious script on the web servers from where he will track the user."
However, the Kaspersky URL Advisor feature still enables websites and third-party services to find out if a visitor has Kaspersky software installed on his system, which the researcher believes can be abused by scammers and cybercriminals indirectly.
"An attacker could use this information to redistribute a pest tailored to the protection software or redirect it to a suitable scam page, with the slogan: Your Kaspersky license has expired. Please enter your credit card number to renew the subscription," Eikenberg warned.
The updated versions of Kaspersky Antivirus, Internet Security, Total Security, Free Antivirus, and Small Office Security products have already been delivered to affected users.
But, users who want to disable this tracking altogether can manually disable the URL Advisor feature from settings→ additional→ network→ un-check traffic processing box, as shown in the above screenshot.
from The Hacker News https://ift.tt/2MjZHAC