Kaspersky promises security and data protection. However, a data leak allowed third parties to spy on users while they were surfing the web. For years.
A strange discovery on my office computer led me to unearth an astonishing data leak caused by Kaspersky's antivirus software. Originally, I had installed the software in order to experience the promised added value during everyday use. We, journalists at c't magazine, regularly test antivirus software, and this was part of a test for our c't issue 3/2019.
The following weeks and months seemed to offer little excitement – the Kaspersky software worked essentially as well or as badly as Windows Defender. One day, however, I made a strange discovery. I looked at the HTML source code of an arbitrary website and came across the following line of code:
To investigate, I experimented with webbrowsers Firefox, Edge, and Opera. Again, the same line of code popped up everywhere. Since I had no suspicious browser extensions installed which could be responsible, the simple conclusion was that Kaspersky's virus protection was manipulating my traffic. Without my permission, it was injecting that code. Before that day, I had observed such behaviour only from online banking Trojans. That is malware built to manipulate bank websites, for example to secretly change the recipient of a money transfer. But what the heck was Kaspersky doing there?
My first examination of Kaspersky's script main.js showed me that, among other things, it displays green icons with Google search results if Kaspersky believes the relevant link to lead to a clean website. This could have been the end of my analysis, but there was this one small detail: The address from which the Kaspersky script was loaded contained a suspicious string:
The part marked bold has a characteristic pattern. The structure matches a so-called Universally Unique Identifier (UUID). These IDs are used to make things, well, uniquely identifiable. But who or what can be identified using the Kaspersky ID?
The suspicious ID
I was further irritated by the location of the ID: The Kaspersky software injected it directly into the HTML source code of each website. That's a remarkably bad idea. Other scripts running in the context of the website domain can access the entire HTML source any time, which means they can read the Kaspersky ID.
In other words, any website can read the user's Kaspersky ID and use it for tracking. If the same Universally Unique Identifier comes back, or appears on another website of the same operator, they can see that the same computer is being used. If this assumption is correct, Kaspersky has created a dangerous tracking mechanism that makes tracking cookies look old. In that case, websites can track Kaspersky users, even if they switch to a different browser. Worse yet, the super tracking can even overcome the browser's incognito mode.
But could a company that has been dedicated to the security and privacy of its customers for over twenty years have overlooked such an obvious problem? I decided to put it to the test. Half an hour later, I had created a simple website that would automatically read and save the visitors' Kaspersky ID.
I'm afraid it worked like charm. After I had collected the IDs of several test computers, I also stored the names of the colleagues who owned those computers in the code of my demonstration page. From that moment on, my testpage greeted them personally whenever they opened the site – no matter which browser they used or how often they deleted cookies. Even the incognito mode did not offer any protection against my Kaspersky-infused tracking. At this point, it was clear that this was a serious security issue.
At c't magazine, we strive to avoid putting users at risk. So, first, I informed Kaspersky about my findings. The company's research department replied swiftly. They would look into the matter. About two weeks later, the headquarters in Moscow, Russia, had analysed the case. The problem I discovered was determined to be real. It affected all consumer versions of Kaspersky software for Windows, from the free version to Kaspersky Internet Security to Total Security. Additionally, the Small Office Security flavour was affected as well. Several million users must have been exposed.
My inquiries revealed that the leak was introduced with Kaspersky's "2016" editions, released in the Autumn of 2015. And the UUID wasn't hidden. If I was able to find it by happenstance, various people, from eager marketers to malicious attackers may have been exploiting it for almost four years.
According to Kaspersky, "such an attack is too complex and not profitable for cybercriminals, and therefore unlikely to happen". I beg to differ: If I was able to create a website in a short period of time that reads and saves the IDs, why couldn't others have done it at some point in the last four years? Numerous companies specialize in spying on website visitors in as much detail as possible. This would be a boon for their spying efforts.
That cat is out of the bag
Since Kaspersky had apparently recognized the seriousness of the situation and promised me a patch, I waited. In June, the "Patch F" was indeed distributed, and last month, Kaspersky published a security advisory. It describes the problem and its solution. Upon my request, the manufacturer also assigned the vulnerability a "CVE" number, which is a globally valid identification number for security vulnerabilities. Thus, the leak has a proper name: CVE-2019-8286.
The Kaspersky Advisory and the CVE registration have brought the problem to the attention of security authorities. For example, the German CERT-Bund has issued a warning regarding the information leak. Furthermore, there is an entry in the National Vulnerability Database of the US-CERT.
After Kaspersky distributed the patch, I did not hesitate to repeat my experiments. The software still smuggles a script with an ID into each webpage – but the ID is now identical for all users of a specific Kaspersky edition: FD126C42-EBFA-4E12-B309-BB3FDD723AC1. A website can no longer recognize individual users. However, that means it is still possible to find out if a visitor has installed Kaspersky software on their system and how old that software is.
That is actually valuable information to an attacker. They may use that information to distribute malware tailored to the protection software, or to redirect the browser to a suitable scamming page. Imagine something along the lines of "Your Kaspersky license has expired. Please enter your credit card number to renew your subscription". Of course I have reported this problem to Kaspersky as well.
To be on the safe side, you can disable the relevant function in Kaspersky's software: Click the cogwheel icon in the bottom left corner of the main window, then click Additional/Network. Finally, uncheck the "Inject script into web traffic to interact with web pages" option under "Traffic processing".