Kaspersky
Question

Kaspersky has fixed a security issue (CVE-2019-8286) in its products that could potentially compromise user privacy by using unique product id which was accessible to third parties. [merged]

  • 15 August 2019
  • 19 replies
  • 1478 views

Userlevel 2
According to an article published by c't, a German computer magazine, Kaspersky puts users at risk by means of a data leak allowing third parties to spy on users while they are surfing the web.

Link to article: https://www.heise.de/ct/artikel/Kasper-Spy-Kaspersky-Anti-Virus-puts-users-at-risk-4496138.html

The article mentioned above is currently hotly debated in the German section of this forum. Any comments from Kaspersky?

19 replies

Userlevel 7
Badge +4
https://support.kaspersky.com/general/vulnerability.aspx?el=12430#110719
Userlevel 2
https://support.kaspersky.com/general/vulnerability.aspx?el=12430#110719
Please read the whole article (especially the paragraphs under the subheading "That cat is out of the bag". Thank you.
Userlevel 7
Badge +4
This is the only official response for now from Kaspersky, probably here in this forum you won't get the answer, better try to contact to Kaspersky official Support.
Userlevel 2
This is the only official response for now from Kaspersky, ...
I know but I do think Kaspersky should publish an official statement going beyond an "advisory". Apart from that, this privacy issue has not been completely fixed yet.
Interesting topic here: https://www.heise.de/ct/artikel/Kasper-Spy-Kaspersky-Anti-Virus-puts-users-at-risk-4496138.html . Should I be concerned?
Userlevel 4
Badge
After Kaspersky distributed the patch, I did not hesitate to repeat my experiments. The software still injects an ID - but this is now the same for all users: FDXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX. A website can no longer recognize individual users. However, it is still possible to find out if a visitor installed Kaspersky software on their system and how old it is. An attacker could use this information to redistribute a pest tailored to the protection software or redirect it to a suitable scam page, with the slogan: "Your Kaspersky license has expired. Please enter your credit card number to renew the subscription ".
Userlevel 7
Badge +4
@Tiranon: only K2019 affected? have You tried with K2020?
Userlevel 4
Badge
@Tiranon: only K2019 affected? have You tried with K2020?
yes with KTS 2020 (Patch C) is also the problem
Userlevel 7
Badge +5
It is still possible to find out if a visitor installed Kaspersky software on their system and how old it is. An attacker could use this information to redistribute a pest tailored to the protection software or redirect it to a suitable scam page, with the slogan: "Your Kaspersky license has expired. Please enter your credit card number to renew the subscription ".
___
Have you tested this @Tiranon & with 2020? Does the same issue exist with VPN active?
Curious🤔
Userlevel 4
Badge

It is still possible to find out if a visitor installed Kaspersky software on their system and how old it is. An attacker could use this information to redistribute a pest tailored to the protection software or redirect it to a suitable scam page, with the slogan: "Your Kaspersky license has expired. Please enter your credit card number to renew the subscription ".___
Have you tested this @Tiranon & with 2020? Does the same issue exist with VPN active?
Curious🤔

Yes, the problem exists in the 2020 version. Unfortunately, I do not use VPN
Userlevel 4
Badge
Message from the support:

Dear customer, I would like to thank you for the information sent. I have forwarded all data you provided to our product development in Moscow. Your request will now be processed. Please wait for my answer. Please ignore the message "If we do not receive an answer within the next 7 days, we assume the case has been resolved", as this is not your case. Many thanks.
Userlevel 7
Badge +4
Some media seem to have received a (identical) statement from Kaspersky upon request:

Kaspersky has changed the process of checking web pages for malicious activity by removing the usage of unique identifiers for the GET requests. This change was made after Ronald Eikenberg reported to us that using unique identifiers for the GET requests can potentially lead to the disclosure of a user's personal information.
After our internal research, we have concluded that such scenarios of user's privacy compromise are theoretically possible but are unlikely to be carried out in practice, due to their complexity and low profitability for cybercriminals. Nevertheless, we are constantly working on improving our technologies and products, resulting in a change in this process. We'd like to thank Ronald Eikenberg for reporting this to us."

I can't vouch for the authenticity, I didn't find a KL source for it.
Userlevel 7
Badge +5
Some media seem to have received a (identical) statement from Kaspersky upon request:
Kaspersky has changed the process of checking web pages for malicious activity by removing the usage of unique identifiers for the GET requests. This change was made after Ronald Eikenberg reported to us that using unique identifiers for the GET requests can potentially lead to the disclosure of a user's personal information.
After our internal research, we have concluded that such scenarios of user's privacy compromise are theoretically possible but are unlikely to be carried out in practice, due to their complexity and low profitability for cybercriminals. Nevertheless, we are constantly working on improving our technologies and products, resulting in a change in this process. We'd like to thank Ronald Eikenberg for reporting this to us." I can't vouch for the authenticity, I didn't find a KL source for it.

Hello @Schulte,
Thanks for the update. (imo) Kaspersky have made a statement, like they do with every other fix for malicious activity. It's not the first time in Kaspersky's history, nor any other major provider of av/malware sftw, that a bug's been found by an "outsider"...
IF Kaspersky hadn't fixed, hadn't published and hadn't continued to work on the the issue, "that", would be newsworthy.
Userlevel 2
After Kaspersky distributed the patch, I did not hesitate to repeat my experiments. The software still injects an ID - but this is now the same for all users: FDXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX. A website can no longer recognize individual users. However, it is still possible to find out if a visitor installed Kaspersky software on their system and how old it is. An attacker could use this information to redistribute a pest tailored to the protection software or redirect it to a suitable scam page, with the slogan: "Your Kaspersky license has expired. Please enter your credit card number to renew the subscription ".

It is a widespread practice in the industry to use scripts as Kaspersky does. The script itself and/or URL from which it is downloaded can identify the vendor of the product with or without any ID. So, the conclusion made by the author of the article is silly. Moreover, use of terms such as spying (including deliberate brand distortion), bank trojans and data leakage, where discovered fault allowed very limited web tracking, clearly indicates that the article is obviously biased.
Userlevel 1

Feature Kaspersky added in 2015 also made it possible to be ID'd across different browsers


Antivirus software is something that can help people be safer and more private on the Internet. But its protections can cut both ways. A case in point: for almost four years, AV products from Kaspersky Lab injected a unique identifier into the HTML of every website a user visited, making it possible for sites to identify people even when using incognito mode or when they switched between Chrome, Firefox, or Edge....

https://arstechnica.com/information-technology/2019/08/kaspersky-av-injected-unique-id-into-webpages-even-in-incognito-mode/
Userlevel 2
@alex5723, it is still remains unanswered why Kaspersky added that "feature".
Userlevel 7
Badge +4
A blog article has been published:

I heard a bug in Kaspersky products could be used for spying. Is that true?
Userlevel 2
Sadly that IT magazine c't goes so dirty way to engage the audience.
Userlevel 7
Badge +1
Sadly that IT magazine c't goes so dirty way to engage the audience.
I agree. If anyone wants to read about real threats, there are plenty of real threats out there to read about. And do something about. That is why I changed the title of this topic thread, twice. That is why I have been active on the Kaspersky forums for 12 years, 61,000 posts. That is why I am active in several areas of other types of awareness of real threats.




---------------
Scroll down to see first reader comment about a Real Threat: https://blog.dogsbite.org/2019/08/2019-dog-bite-fatality-9-year-old-girl-killed-by-three-pit-bulls-in-detroit.html

Reply / Ответить