A vulnerability in the Kaspersky Antivirus software, tracked as CVE-2019-8286, had exposed a unique identifier associated with its users to every website they have visited in the past 4 years. The exposure of this identifier allowed visited websites and commercial third-party services to track users online.
The bad news is that users might have been exposed to cross-site tracking even if they have blocked or deleted cookies.
The vulnerability was discovered by the security researcher Ronald Eikenberg, it resides in the URL scanning module, called Kaspersky URL Advisor, of the antivirus software
“My first examination of Kaspersky’s script main.js showed me that, among other things, it displays green icons with Google search results if Kaspersky believes the relevant link to lead to a clean website.” reads the post published by the expert. “This could have been the end of my analysis, but there was this one small detail: The address from which the Kaspersky script was loaded contained a suspicious string:
The part marked bold has a characteristic pattern. The structure matches a so-called Universally Unique Identifier (UUID). These IDs are used to make things, well, uniquely identifiable”
“That’s a remarkably bad idea. Other scripts running in the context of the website domain can access the entire HTML source any time, which means they can read the Kaspersky ID.
In other words, any website can read the user’s Kaspersky ID and use it for tracking. If the same Universally Unique Identifier comes back, or appears on another website of the same operator, they can see that the same computer is being used.” continues the post. “If this assumption is correct, Kaspersky has created a dangerous tracking mechanism that makes tracking cookies look old. In that case, websites can track Kaspersky users, even if they switch to a different browser. Worse yet, the super tracking can even overcome the browser’s incognito mode.”
“Kaspersky has fixed a security issue (CVE-2019-8286) in its products that could potentially compromise user privacy by using
Experts pointed out that Kaspersky URL Advisor feature still allows checking if a visitor has Kaspersky Antivirus software installed on his computers, an information that could be used by scammers in various ways.
“That is actually valuable information to an attacker. They may use that information to distribute malware tailored to the protection software, or to redirect the browser to a suitable scamming page.” concludes the expert. “Imagine something along the lines of “Your Kaspersky license has expired. Please enter your credit card number to renew your subscription”. Of course I have reported this problem to Kaspersky as well.”
If you want to disable the URL Advisor feature from settings→ additional→ network→ un-check traffic processing box.
(SecurityAffairs – CVE-2019-8286, Kaspersky Antivirus)