Update: The story was updated with Kaspersky Labs comments.
This is a story of how a "feature" that exists in all of Kaspersky Lab's antivirus software for Windows since 2016, which was discovered by a German journalist earlier this year, led to a major security issue that let cybercriminals track millions of Kaspersky customers without their knowledge.
It all started when Ronald Eikenberg, a reporter at German computer magazine C't, began testing antivirus software for the March issue of his publication. Several months later he made a strange discovery in the HTML source code of a website he was visiting and found that Kaspersky's antivirus software was injecting some code (a Javascript script) into webpages.
"It looks as if Kaspersky was looking for a way to interact with websites without requiring the installation of a browser extension on the user's system," Eikenberg told me. "One of the purposes of the script is to evaluate Google search results displayed in the user's browser. If a link is safe, the Kaspersky software will display a green shield behind it."
From spying to possible cyberattacks
However, in order to be able to insert the script, the Kaspersky software is analyzing the user's web traffic including SSL-encrypted connections, Eikenberg added. Which is for me a major security and privacy issue right there as Kaspersky has now the knowledge of all of the websites its customers are visiting, including inside secure corporate networks.
"Before that day, I had observed such behavior only from online banking Trojans which is malware built to manipulate bank websites, for example, to secretly change the recipient of a money transfer," wrote Eikenberg. "So, what the heck was Kaspersky doing there?"
I've contacted Kaspersky's U.S. office regarding Eikenberg's data leak discovery as well as Eugene, the company's CEO and co-founder, and I will update this report with their response (see below).
Furthermore, Eikenberg also found out that Kaspersky's servers were injecting a unique identifier into the HTML source code of the visited Web page that not only identifies a particular user but also the computer used.
"Even the incognito mode did not offer any protection against the Kaspersky-infused tracking," added Eikenberg. "At this point, it was clear that this was a serious security issue."
Atherton Research Insights
Last month, Kaspersky issued a patch which gives the same identifier for all the users of a specific version of the Russian company's antivirus software (Kaspersky Anti-Virus, Kaspersky Internet Security, Kaspersky Total Security, Kaspersky Free Anti-Virus, Kaspersky Small Office Security) which still allows a malicious hacker to know that an antivirus software is installed on the machine and whether the version has already been patched against the ID leak—which is still very valuable information for an attacker.
To prevent Kaspersky's antivirus to inoculate the problematic Javascript script—which it does by default—we recommend to manually uncheck it in the software settings, depending of course on how you feel about being spied upon.
Below is Kaspersky Labs' response to our story:
Kaspersky has changed the process of checking web pages for malicious activity by removing the usage of unique identifiers for the GET requests. This change was made after Ronald Eikenberg reported to us that using unique identifiers for the GET requests can potentially lead to the disclosure of a user’s personal information.
After our internal research, we have concluded that such scenarios of user’s privacy compromise are theoretically possible but are unlikely to be carried out in practice, due to their complexity and low profitability for cybercriminals. Nevertheless, we are constantly working on improving our technologies and products, resulting in a change in this process.
We’d like to thank Ronald Eikenberg for reporting this to us.
