Unique Kaspersky AV User ID Allowed 3rd-Party Web Tracking
upstart writes:
Submitted via IRC for SoyCow2718
Unique Kaspersky AV User ID Allowed 3rd-Party Web Tracking
Kaspersky antivirus solutions injected in the web pages visited by its users an identification number unique for each system. This started in late 2015 and could be used to track a user's browsing interests.
Versions of the antivirus product, paid and free, up to 2019, displayed this behavior that allows tracking regardless of the web browser used, even when users started private sessions.
Signaled by c't magazine editor Ronald Eikenberg, the problem was that a JavaScript from a Kaspersky server loaded from an address that included a unique ID for every user.
Scripts on a website can read the HTML source and glean the Kaspersky identifier, which Eikenberg determined to remain unchanged on the system.
"In other words, any website can read the user's Kaspersky ID and use it for tracking. If the same Universally Unique Identifier comes back, or appears on another website of the same operator, they can see that the same computer is being used."
The purpose of the script is perfectly legitimate. One of its uses is to warn users which search results are dangerous to follow by applying a corresponding checkmark next to them. Kaspersky is not the only antivirus to do this.
Kaspersky acknowledged the issue and that it could be leveraged by third parties to "potentially compromise user privacy by using unique product id."
The company released a patch in early June. According to an advisory from July 11, an attacker could take advantage of this through a script deployed on a server they control.
Before reporting the problem to Kaspersky, Eikenberg tested the potential of his discovery by spending about half an hour creating a website that automatically copied the visitors' Kaspersky IDs.
Eikenberg argues that if he could find this issue, which is now identified as CVE-2019-8286, it is possible that marketers, malicious actors, and companies specializing in profiling website visitors have discovered this user data leak years ago and exploited it; there is no evidence to support this, though.
Also at ArsTechnica
Read more of this story at SoylentNews.