blocked an attempt to openly transfer the password from a web page on a public Wi-Fi network, all for algolia.net, [blocking] changes url, specific to https://community.kaspersky.com/

[Flood and Flood's wife]

The application has blocked an attempt to openly transfer the password from a web page on a public Wi-Fi network URL: ic23zxnzkt-dsn.algolia.net Time: 4/20/2019 12:25 PM The application has blocked an attempt to openly transfer the password from a web page on a public Wi-Fi network URL: ic23zxnzkt-3.algolianet.com Time: 4/20/2019 12:25 PM The application has blocked an attempt to openly transfer the password from a web page on a public Wi-Fi network URL: ic23zxnzkt-dsn.algolia.net Time: 4/20/2019 12:25 PM The application has blocked an attempt to openly transfer the password from a web page on a public Wi-Fi network URL: ic23zxnzkt-1.algolianet.com Time: 4/20/2019 12:25 PM The application has blocked an attempt to openly transfer the password from a web page on a public Wi-Fi network URL: ic23zxnzkt-2.algolianet.com Time: 4/20/2019 12:25 PM ------------------------------------------------------- Happens irrespective of whether Forum is signed into or not. ------------------------------------------------------- Selecting [block] just generates another popup, same domain, different prefix. ------------------------------------------------------- Happens irrespective of which browser is used, 4 different browsers tested. Google Chrome: 73.0.3683.103 (Official Build) (64-bit) Firefox Quantum: 66.0.3 (64-bit) Microsoft Edge: 44.17763.1.0, Microsoft EdgeHTML 18.17763 Vivaldi: 2.4.1488.35 (Stable channel) (64-bit) ------------------------------------------------------- Unknown domain.... ------------------------------------------------------- Only way to kill popup is via taskmanager or reboot. ------------------------------------------------------- KTS 19.0.0.1088(e), Win 10 x 64, 1809, Version 10.0.17763.437

[harlan4096]

Adware infection? :slight_smile:

[Flood and Flood's wife]

Hello harlan4096, The alerts/popups only appear on Kaspersky Community Forum pages.... Surely you don't mean Kaspersky ADWARE infection???

[harlan4096]

Of course not... Wi-Fi without password? or with non-secure protocol?

[Flood and Flood's wife]

Hello Harlan4096, Wi-Fi without password? Nope! Non-secure protocol? Interesting, considering KTS is providing "defence". It's due to something very specific to K Community site... { ... // script that includes algolia analytics functions } ?

[Flood and Flood's wife]

❓

[Jerska]

Hi there,

 

I work at Algolia, and stumbled upon this thread after receiving a message about this in our own forums:

https://discourse.algolia.com/t/persistent-trying-to-transfer-password-alerts-for-unknown-x-algolia-domain/8996

 

We provide Search, including on these forums.

I assume the “password” the AV detects is a read-only API key to a search index (32 chars, [a-z0-9]).

This key is not linked to the current user of the page, but the credentials of the website searching in our index.

Having it exposed is a non-issue, and furthermore the query is properly going through HTTPS.

 

If I understood correctly, this pop-up would trigger on all websites using Algolia to power their search.

 

I have 2 questions:

1. Is there any way to have the detection code updated not to detect this pattern, which is completely legit?
2. Is there any way to disable this detection in-app?

 

Best,

[Flood and Flood's wife]

Hello @Jerska.

Thank you so much!

This issue is concerning, bc, the domain is unknown (to me), a problem, bc, the “transfer password” alerts prevent continued browser use until the alert is killed via Taskmanager, killing 30+ algolianet alerts brings my work to a halt and the Community admin has advised: Community Portal only, any supported browser, any search: generates a "transfer pwd" popup, domain: ic23zxnzkt-dsn.algolia.net

“It does not seem as a community issue. Try to clear cache of all browsers, remove unused addons and clear TEMP folders.”

The issue has been with Kaspersky Technical Support since April 2019, 7 months. I reached out to Algolia via (your) forum, in sheer desperation. 

It’s clearly an issue, one I cannot fix, with your contribution, maybe Kaspersky will🤔

Best Regards

[Jerska]

> This issue is concerning, bc, the domain is unknown (to me)

 

This is definitely understandable. I guess you now understand what we do, but just to be clear, we’re a service provider, and you could imagine the same type of external requests for any service provider (e.g. imgur for image hosting).

 

> It’s clearly an issue, one I cannot fix, with your contribution, maybe Kaspersky will🤔

 

As advised in our own community forums, I would encourage you to try to get in direct contact with Kaspersky’s support team.

It seems like this would be a good route:

https://support.kaspersky.com/us/b2c/US#product

 

This is basically two reports at once:

1. The false positive detection of those calls
2. The UI having issues when many requests are detected, requiring you to go through the Task Manager to kill it

[Flood and Flood's wife]

Hello  @Jerska,

Thank you.

As I advised above: The issue has been logged with Kaspersky Lab Technical Support for 7 months, and logged here in the Community Forum.

 It’s a not a succession of multiple requests, a (one) search is made, the alert pops up, no further action on the browser can happen until the a ”transfer pwd” alert process is killed. 

Killing the process allows for the “search” to be attempted again,  ”transfer pwd” alert pops again, kill process again, ad infinitum.... 

BR

[Guest]

Hello,

The information regarding the scenario is mentioned first time by@Jerska. We were unable to receive an exact senario of the issue reproduction before that. Thank you! And thank you for this overall analysis. It is very useful!

As I see this one request to Technical support (regarding the issue) is escalated to HQ. We will check it soon.

[Flood and Flood's wife]

Additional information from Algolia representative, Monday, 18 November 2019 21:42

Quote:

“This is not linked to Algolia per-se, but rather the antivirus, Kaspersky.

When searching in a page using Algolia, it will trigger a request to our servers to get your search results. This is expected, and there is a key in there which I believe the anti-virus incorrectly detects as being a password. I would advise you to contact Kaspersky’s support, as this is a false positive in their systems.” 

Unquote

[Guest]

The issue related to the bug 3783588. It must be fixed in the next version of the product.
Thanks!

[Jerska]

Wow, nice reactivity there! Thank you @Anton Mefodys !

[Flood and Flood's wife]

Hello @Anton Mefodys, 

Eventually fixed with version 21.2.16.590. 

Thank you🙏

Flood🐳 +🐋