Kaspersky Products Allowed Websites to Track Users Due to a Security Flaw
Ronald Eikenberg, an editor at the German magazine c’t, discovered that Kaspersky Lab’s security products were leaking a unique user ID to websites and other online services, making it possible to track individual users. This vulnerability was assigned the identifier CVE-2019-8286 and affected several Kaspersky products, including Kaspersky Anti-Virus (up to version 2019), Internet Security (up to version 2019), Total Security (up to version 2019), Free Anti-Virus (up to version 2019), and Small Office Security (up to version 6).
How the Vulnerability Worked
The root of the problem was that Kaspersky’s security solutions scan web pages by injecting a special script that loads JavaScript from the company’s servers. This script is intended, for example, to warn users about potentially dangerous search results. Unfortunately, the URL used to load the script contained a unique identifier for each user. As a result, any website could easily read this unique ID, regardless of the browser used or whether incognito mode was enabled. In effect, this allowed websites to track users across different browsers.
Potential Risks and Exploitation
Eikenberg believes that marketers, cybercriminals, and companies specializing in visitor profiling could have discovered and exploited this bug for years, although he has no direct evidence of this. Kaspersky Lab developers fixed the issue in July of the same year. Now, the identifier still exists, but it is the same for all users of certain products, so it can no longer be used to track individuals.
However, Eikenberg points out that even in its current form, the ID could pose a risk. Websites can still detect whether a visitor is using a Kaspersky product and which version is installed. “This is valuable information for an attacker. They could use it to distribute malware specifically targeting that security product or redirect the user to a relevant phishing page. Imagine a message like, ‘Your Kaspersky license has expired. Please enter your credit card number to renew your subscription,'” Eikenberg writes.
Kaspersky’s Response and User Recommendations
Kaspersky Lab specialists acknowledge that such attacks are theoretically possible but unlikely to be carried out in practice due to their complexity and low profitability for cybercriminals. Nevertheless, users who are concerned can disable the Kaspersky URL Advisor in the settings, although this may affect the functionality of other product components.