Kaspersky
Question

Login problems with Algolia community software and Google ReCaptcha [MOVED]

  • 10 July 2020
  • 4 replies
  • 132 views

Badge

When logging in to these forums today, I found that the “new” community/forum system run by Algolia and it’s further integration with Kaspersky Company accounts has a number of problems with “ad blocking” browser plugins, some of these related to the use of Google ReCaptcha on the login page.  Basically, any attempt to whitelist the cacaphony of javascript domains loaded by the login page causes the login page to error out, requiring the user to go back to the community front page and click the login link again.

It should also be noted that the use of Google scripts on login pages may pose a security risk when used on any Russian login page, as it seems that Google will be able to change their javascript code to actively hunt down and extract the usernames and passwords used on the login page, and they might potentially share such sensitive login information with their government, which is obviously not the Russian Government, which should be a concern for Kaspersky, given prior conflicts between Kaspersky Labs and said government.

 


4 replies

Userlevel 7
Badge +4

@jb_wisemo hello!

Regarding the first section in your reply: Is there a real stenario related to this community portal?

Regarding the second section: we will provide this information to respoisible persons.

Thank you.

Userlevel 6

@jb_wisemo

hi!

could you please tell step by step what you do on the community to reproduce the problem?

 

We have not found any security risks related to the situation you are talking about.

Anyway, login page on our community is handled by Kaspersky (via SSO) and hosted not on Community portal.

Badge

The reproduction method is to use the Swedish browser “Pale Moon” with the latest compatible versions of the “uMatrix” and “RequestPolicy” browser extensions to control insecure cross-domain sharing of login information.

It might be possible to create a similar permission-prompting configuration with latest Firefox and compatible plugins.

Using these, it becomes very visible that the login process gets redirected and cross-domain loaded back and forth between domains under kaspersky.com and domains under other companies (including algolia.net, insided.com, numbered accounts under cloudfront.net and various javascript CDNs).  During the login process, recaptcha.net also appears in the list of domains accessed.

 

Userlevel 7
Badge +9

The reproduction method is to use the Swedish browser “Pale Moon” 

 

Hello @jb_wisemo

Welcome back!

Specific only to the use of Pale Moon → Pale Moon it is not a Supported browser, reference: Browser support.

Thank you:pray_tone3:

Flood:whale:+:whale2:

Reply / Ответить