Home > News content

Kaspersky fixes a four-year-old vulnerability and injects a unique identifier into HTML source code that leaks user privacy

via:cnBeta.COM     time:2019/8/16 14:27:50     readed:413


(Question Map viaHeise.de)

As c

In the first few weeks and months, things seemed to be going smoothly --- Kaspersky's software performance, andWindowsDefender is basically the same or unsatisfactory.

Then one day, Ronald EikenbergAfter checking the HTML source code of any website, Kaspersky injected the following code into it:

Obviously, the browser is loading an external JavaScript script named main. JS from the Kaspersky domain. Although JS code is not uncommon,But when you look into the HTML source code of other websites displayed in browsers, almost all of them have the same strange discoveries.

Not surprisingly, Ronald Eikenberg also saw scripts from Kaspersky on his personal online banking website. So it concluded that this might have something to do with Kaspersky software.

To verify, Ronald EikenbergTry Mozilla Firefox, Microsoft Edge, and Opera browsers, and find the same code everywhere.

Given the absence of a suspicious browser extension, he can only simply understand that Kaspersky Anti-Virus software is manipulating current network traffic - without user permission, Kaspersky is overtaking!

Before this incident was exposed, many people might only observe this behavior on malicious software such as cyber-silver Trojan Horse in order to steal or tamper with key information (such as quietly changing the payer of Cyber-bank transfers).Now the question is what are you doing, Kaspersky?

After an analysis of the main.js script, it is known that Kaspersky will display a green icon with Google search results in the address bar after identifying a'clean'website link.

But there's a little detail.——The address to load the Kaspersky script also contains a suspicious string:

Https://gc.kis.v2.scr.kaspersky-labs.com/9344FDA7-AFDF-4BA0-A915-4D7EEB9A6615/ main.js


The link bold part obviously belongs to some kind of "universal unique identifier" (UUID).But as a computer security software, who does Kaspersky want to identify or track with this string of characters?

Extended Extension Verification, Ronald Eikenberg installed Kaspersky software on other computers and found that it did inject JavaScript code into other systems as well, noting a crucial difference.

The UUID in the source address is different on each system. These IDs are persistent identifiers that will not change even in a few days. Obviously, each computer has its own permanently assigned ID.

The idea of injecting these UUIDs directly into the HTML source code of each website is absolutely a bad idea.Because other scripts running in the context of the Web site domain can access the entire HTML source at any time, and even read Kaspersky UUIDs.

This means that any website can read and track the network ID of the Kaspersky software user. As long as another website detects the same string, it can be determined that the source of its access is from the same computer.

Based on this assumption, Kaspersky apparently created a dangerous tracking mechanism, even more extreme than traditional cookies - even if you switch browsers, they will be tracked and identified to use the same device, making the browser's stealth mode virtual.

To avoid more users at risk, cAnd received a prompt reply from the other party, saying that it had begun to investigate the matter.

About two weeks later, Kaspersky Moscow headquarters analyzed the case and confirmed c

This problem affects all consumer versions of Kaspersky security software using Windows, from the free version of the entry machine, the Internet Security Suite (KIS) to the Total Security.

In addition, the Small Business Security Edition of KasperskyOfficeSecurity has also been affected by this problem, exposing millions of users to risk.

Heise. de survey shows that,Kaspersky introduced the vulnerability from the "2016" series released in autumn 2015.But since ordinary netizens can inadvertently find this vulnerability, third parties, including marketing agencies, are also likely to have launched field use early.

Even so, Kaspersky said the attack was too complex, so the probability of it happening was very low, and it was not profitable for cyber criminals.

Heise. de, however, disagrees with the company's statement that, after all, many companies are trying to monitor every visitor to the site. This four-year-old loophole is likely to be a good news for its spying activities.

Fortunately, after realizing the seriousness of the matter,Kaspersky finally heeded the requests of the detonators and issued the CVE-2019-8286 security announcement last month.And the patches have been patched.

Of course, for the sake of security, you can also disable the related functions provided in Kaspersky software:

Click the gear (settings) icon in the lower left corner of the main window-

China IT News APP

Download China IT News APP

Please rate this news

The average score will be displayed after you score.

Post comment

Do not see clearly? Click for a new code.

User comments