from the not-the-only-AV-vendor-to-do-this dept.
Submitted via IRC for SoyCow2718
Unique Kaspersky AV User ID Allowed 3rd-Party Web Tracking
Kaspersky antivirus solutions injected in the web pages visited by its users an identification number unique for each system. This started in late 2015 and could be used to track a user's browsing interests.
Versions of the antivirus product, paid and free, up to 2019, displayed this behavior that allows tracking regardless of the web browser used, even when users started private sessions.
Signaled by c't magazine editor Ronald Eikenberg, the problem was that a JavaScript from a Kaspersky server loaded from an address that included a unique ID for every user.
Scripts on a website can read the HTML source and glean the Kaspersky identifier, which Eikenberg determined to remain unchanged on the system.
"In other words, any website can read the user's Kaspersky ID and use it for tracking. If the same Universally Unique Identifier comes back, or appears on another website of the same operator, they can see that the same computer is being used."
The purpose of the script is perfectly legitimate. One of its uses is to warn users which search results are dangerous to follow by applying a corresponding checkmark next to them. Kaspersky is not the only antivirus to do this.
Kaspersky acknowledged the issue and that it could be leveraged by third parties to "potentially compromise user privacy by using unique product id."
The company released a patch in early June. According to an advisory from July 11, an attacker could take advantage of this through a script deployed on a server they control.
Before reporting the problem to Kaspersky, Eikenberg tested the potential of his discovery by spending about half an hour creating a website that automatically copied the visitors' Kaspersky IDs.
Eikenberg argues that if he could find this issue, which is now identified as CVE-2019-8286, it is possible that marketers, malicious actors, and companies specializing in profiling website visitors have discovered this user data leak years ago and exploited it; there is no evidence to support this, though.
Also at ArsTechnica
(Score: 0) by Anonymous Coward on Tuesday August 20 2019, @01:28PM (7 children)
Kaspersky antivirus contained a design flaw which was fixed months ago. It's newsworthy now, why? Because some dude desperately wanted to be in the news? To pad his CV? What's the motivation here?
(Score: 1, Insightful) by Anonymous Coward on Tuesday August 20 2019, @01:32PM (5 children)
The story here is that Kaspersky was caught spying on users, even paid users. Even users who may have voted online (in countries, provinces and cantons that allow it).
This wasn't a "bug". It was a way to track and monetize Kaspersky users' web usage.
The fact that Kaspersky removed it after getting caught red handed does not absolve them of their actions (which may be illegal in some counties).
(Score: 0, Interesting) by Anonymous Coward on Tuesday August 20 2019, @02:07PM (4 children)
It was all part of Emperor Trump's Get Elected system.
They haven't actually fixed it, of course, just changed some things to make people believe it's been changed.
(Score: -1, Troll) by Anonymous Coward on Tuesday August 20 2019, @04:07PM (2 children)
Maybe you should go outside and get some fresh air. Leave the computer and the crazy behind, and get yourself some sunshine.
(Score: 2) by aristarchus on Tuesday August 20 2019, @04:59PM
Eine viruswarnung erst das virus ist.
(Score: 0) by Anonymous Coward on Wednesday August 21 2019, @04:43AM
Says the AC who needs to lighten up.
(Score: 0) by Anonymous Coward on Tuesday August 20 2019, @06:47PM
Emperor Putin, remember the point of Trump's presidency is to destabilize the US while extracting money for the super rich and preferential treatment for Russia like lifting sanctions.
Trump is too much of a baby to handle Emperorship anyway, at most he would be the child emperor while the real hooligans get down to business.
(Score: -1, Troll) by Anonymous Coward on Tuesday August 20 2019, @04:19PM
Rrrussia!
(Score: 0, Disagree) by Anonymous Coward on Tuesday August 20 2019, @01:29PM (8 children)
All viruses out there are Windows only.
(Score: 2) by Freeman on Tuesday August 20 2019, @03:09PM (1 child)
Incorrect, but Windows is targeted more frequently due to it being a large target. Linux and Apple have their own bugs / exploits / viruses / trojans, etc.
Using Windows is more like walking through an empty field with a lightning rod strapped to your back during a thunderstorm. Whereas, when using Linux/Apple it's like standing under the only tree in the empty field during a thunderstorm.
Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
(Score: 0) by Anonymous Coward on Tuesday August 20 2019, @06:36PM
Windows is targeted more true. The larger userbase is but cherry on top. The topic was viruses and not bugs / exploits / trojans etc.
Yes, GNU/Linux ain't a silver bullet that will solve all your problems. But (anti-)viruses you can forget.
(Score: 4, Insightful) by Runaway1956 on Tuesday August 20 2019, @03:25PM (5 children)
Why would you beat that old dead horse? I presume that you're aware that the very first virus ever to cripple the internet, was written for Unix. You might google that, if you didn't already know it.
(Score: 1, Funny) by Anonymous Coward on Tuesday August 20 2019, @04:10PM
Probably a /. orphan who doesn't know how to handle their freedom.
(Score: 0) by Anonymous Coward on Tuesday August 20 2019, @08:00PM
Windoze may be the more common OS (though I don't know if that is even true anymore given the proliferation of i devices and android devices). Yet most "real" and valuable stuff is processed by Unix machines. That alone should get the hordes cracking on the challenge. So what was the last Unix virus that caused random havoc? The Morris worm? That was 31 years ago and it got the "real" computing industry to start thinking about security.
Windoze is and was made for amateurs. Where price beat securability and usability. Where a manager's gut feeling beats an engineer's considered advice. They may have improved their security situation in recent years, but I've stopped following and caring a long time ago.
(Score: 2) by RS3 on Wednesday August 21 2019, @04:47AM (2 children)
I completely agree with you about beating the dead horse, but your point is a bit out of context. Windows barely existed, if at all, when first virus hit Internet, and certainly no Windows computers routed Internet packets; Unix, VMS, etc., did.
(Score: 2) by Runaway1956 on Wednesday August 21 2019, @03:28PM (1 child)
The only context that I was inferring is, *nix is vulnerable to various attacks. There is nothing in *nix that protects a dummy from an obvious phishing attack, for instance. Federal - something or other Federal, a "security" company with globe-trotting executives who irritated people by thrusting themselves into current events while pretending to be security experts. One phishing email to a sexy-tary hacked the company wide open. "Sorry to bother you, Sweety, but I've forgotten my login password on blah-blah server." "Oh, no problem Mr. Big Balls, I'll fix that for you right now!" I seriously can't remember the name right now - Federal Avon? Federal Tupperware? Rubbermaid Federal? It sure wasn't Security Federal, LMAO!! Semi-seriously, the first time I read the name, I thought of an investment firm, rather than security.
(Score: 2) by RS3 on Friday August 23 2019, @04:51AM
I'm pretty sure it was Federal-Mogul: bearings, "motor parts", etc.
My hope would be that a properly adminned *nix machine would have limited-privileges for the average user, so minimal damage. Of course the user might forward the email, or like you said, someone might give up a password or something, which is OS independent.
(Score: 0) by Anonymous Coward on Tuesday August 20 2019, @01:39PM
The NSA. Check. (At least watching those who watch others....)
(Score: 0) by Anonymous Coward on Tuesday August 20 2019, @02:13PM
Didn't Verizon Wireless used to do this same thing, injecting a unique string in each HTTP request header?
It's surprising how Kaspersky let this slip. Maybe losing all that sweet, sweet Best Buy money stung a bit? Their entire North American home support operation got the axe, except of course the "director" who I'm sure is buddy-buddy with some other muppets there.
(Score: 2) by Runaway1956 on Tuesday August 20 2019, @03:43PM (2 children)
Over time, I got the impression that Avast knew things about our home that they shouldn't really know. I no longer have a machine on which any AV runs, but the wife does. We've switched that machine over to a suite from IOBIT. I'm not going to tell you that IOBIT doesn't track her as well, but they aren't stupidly blatant about it.
(Score: 0) by Anonymous Coward on Tuesday August 20 2019, @07:45PM
There is Clamwin
(Score: 2) by RS3 on Wednesday August 21 2019, @04:51AM
I haven't tried IOBIT yet, but I've been using McAfee "RealProtect". It's a very different philosophy, and I'm 99% sure it does no tracking (it's quite small).
(Score: 2) by number11 on Tuesday August 20 2019, @04:20PM
It would be nice to know if "this" is a script to flag bad websites that does not include a personal identifier, or that other vendors also use personal identifiers. And if the latter, who. It's not clear if this is a Kaspersky screw-up, or endemic to the industry.
(Score: 0) by Anonymous Coward on Tuesday August 20 2019, @04:42PM
nobody cares about this stupid windows bullshit.