Jump to content

Kaspersky has fixed a security issue (CVE-2019-8286) in its products that could potentially compromise user privacy by using unique product id which was accessible to third parties. [merged] [Closed]


Buddel
Go to solution Solved by harlan4096,

Recommended Posts

According to an article published by c't, a German computer magazine, Kaspersky puts users at risk by means of a data leak allowing third parties to spy on users while they are surfing the web. Link to article: https://www.heise.de/ct/artikel/Kasper-Spy-Kaspersky-Anti-Virus-puts-users-at-risk-4496138.html The article mentioned above is currently hotly debated in the German section of this forum. Any comments from Kaspersky?
Link to comment
Share on other sites

This is the only official response for now from Kaspersky, ...
I know but I do think Kaspersky should publish an official statement going beyond an "advisory". Apart from that, this privacy issue has not been completely fixed yet.
Link to comment
Share on other sites

After Kaspersky distributed the patch, I did not hesitate to repeat my experiments. The software still injects an ID - but this is now the same for all users: FDXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX. A website can no longer recognize individual users. However, it is still possible to find out if a visitor installed Kaspersky software on their system and how old it is. An attacker could use this information to redistribute a pest tailored to the protection software or redirect it to a suitable scam page, with the slogan: "Your Kaspersky license has expired. Please enter your credit card number to renew the subscription ".
Link to comment
Share on other sites

It is still possible to find out if a visitor installed Kaspersky software on their system and how old it is. An attacker could use this information to redistribute a pest tailored to the protection software or redirect it to a suitable scam page, with the slogan: "Your Kaspersky license has expired. Please enter your credit card number to renew the subscription ".
___ Have you tested this Tiranon & with 2020? Does the same issue exist with VPN active? Curious:thinking:
Link to comment
Share on other sites

It is still possible to find out if a visitor installed Kaspersky software on their system and how old it is. An attacker could use this information to redistribute a pest tailored to the protection software or redirect it to a suitable scam page, with the slogan: "Your Kaspersky license has expired. Please enter your credit card number to renew the subscription ".
___ Have you tested this Tiranon & with 2020? Does the same issue exist with VPN active? Curious:thinking:
Yes, the problem exists in the 2020 version. Unfortunately, I do not use VPN
Link to comment
Share on other sites

Message from the support: Dear customer, I would like to thank you for the information sent. I have forwarded all data you provided to our product development in Moscow. Your request will now be processed. Please wait for my answer. Please ignore the message "If we do not receive an answer within the next 7 days, we assume the case has been resolved", as this is not your case. Many thanks.
Link to comment
Share on other sites

Some media seem to have received a (identical) statement from Kaspersky upon request:
Kaspersky has changed the process of checking web pages for malicious activity by removing the usage of unique identifiers for the GET requests. This change was made after Ronald Eikenberg reported to us that using unique identifiers for the GET requests can potentially lead to the disclosure of a user's personal information. After our internal research, we have concluded that such scenarios of user's privacy compromise are theoretically possible but are unlikely to be carried out in practice, due to their complexity and low profitability for cybercriminals. Nevertheless, we are constantly working on improving our technologies and products, resulting in a change in this process. We'd like to thank Ronald Eikenberg for reporting this to us."
I can't vouch for the authenticity, I didn't find a KL source for it.
Link to comment
Share on other sites

Some media seem to have received a (identical) statement from Kaspersky upon request:
Kaspersky has changed the process of checking web pages for malicious activity by removing the usage of unique identifiers for the GET requests. This change was made after Ronald Eikenberg reported to us that using unique identifiers for the GET requests can potentially lead to the disclosure of a user's personal information. After our internal research, we have concluded that such scenarios of user's privacy compromise are theoretically possible but are unlikely to be carried out in practice, due to their complexity and low profitability for cybercriminals. Nevertheless, we are constantly working on improving our technologies and products, resulting in a change in this process. We'd like to thank Ronald Eikenberg for reporting this to us." I can't vouch for the authenticity, I didn't find a KL source for it.
Hello Schulte, Thanks for the update. (imo) Kaspersky have made a statement, like they do with every other fix for malicious activity. It's not the first time in Kaspersky's history, nor any other major provider of av/malware sftw, that a bug's been found by an "outsider"... IF Kaspersky hadn't fixed, hadn't published and hadn't continued to work on the the issue, "that", would be newsworthy.
Link to comment
Share on other sites

After Kaspersky distributed the patch, I did not hesitate to repeat my experiments. The software still injects an ID - but this is now the same for all users: FDXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX. A website can no longer recognize individual users. However, it is still possible to find out if a visitor installed Kaspersky software on their system and how old it is. An attacker could use this information to redistribute a pest tailored to the protection software or redirect it to a suitable scam page, with the slogan: "Your Kaspersky license has expired. Please enter your credit card number to renew the subscription ".
It is a widespread practice in the industry to use scripts as Kaspersky does. The script itself and/or URL from which it is downloaded can identify the vendor of the product with or without any ID. So, the conclusion made by the author of the article is silly. Moreover, use of terms such as spying (including deliberate brand distortion), bank trojans and data leakage, where discovered fault allowed very limited web tracking, clearly indicates that the article is obviously biased.
Link to comment
Share on other sites

Feature Kaspersky added in 2015 also made it possible to be ID'd across different browsers

Antivirus software is something that can help people be safer and more private on the Internet. But its protections can cut both ways. A case in point: for almost four years, AV products from Kaspersky Lab injected a unique identifier into the HTML of every website a user visited, making it possible for sites to identify people even when using incognito mode or when they switched between Chrome, Firefox, or Edge.... https://arstechnica.com/information-technology/2019/08/kaspersky-av-injected-unique-id-into-webpages-even-in-incognito-mode/
Link to comment
Share on other sites

Sadly that IT magazine c't goes so dirty way to engage the audience.
I agree. If anyone wants to read about real threats, there are plenty of real threats out there to read about. And do something about. That is why I changed the title of this topic thread, twice. That is why I have been active on the Kaspersky forums for 12 years, 61,000 posts. That is why I am active in several areas of other types of awareness of real threats. --------------- Scroll down to see first reader comment about a Real Threat: https://blog.dogsbite.org/2019/08/2019-dog-bite-fatality-9-year-old-girl-killed-by-three-pit-bulls-in-detroit.html
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.


×
×
  • Create New...