Busted: Kaspersky AV Tracks Your Every Click

Kaspersky Lab’s endpoint security products track your web activity. All of it—the Russian company even monitors visits to https-secured websites.

The AV software inserts a JavaScript bug in every webpage you load. Incredibly, Kaspersky included a unique identifier that allows any other website to track you, too. The company has patched that latter behavior, but the Russian tracking remains in place.

Yevgeny Valentinovich “Eugene” Kaspersky (pictured) is probably right to look red-faced. In today’s SB Blogwatch, we click Uninstall.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: humorless 74’ driver.


KAV is Spyware

What’s the craic? Ronald Eikenberg puns it up—“Kasper-Spy: Kaspersky Anti-Virus puts users at risk”:

 A data leak allowed third parties to spy on users while they were surfing the web. For years.

An external JavaScript script named main.js was being loaded from a Kaspersky domain. … When I checked the HTML source of other websites … I found the strange code on each and every page. Without exception, even on the website of my bank, a script from Kaspersky was introduced.

The simple conclusion was that Kaspersky’s virus protection was manipulating my traffic. Without my permission, it was injecting that code. [And] the address from which the Kaspersky script was loaded contained a … permanently assigned ID … (UUID).

That’s a remarkably bad idea. Other scripts … can read the Kaspersky ID [so] any website can read the user’s Kaspersky ID and use it for tracking. … Kaspersky has created a dangerous tracking mechanism that makes tracking cookies look old [and] can even overcome the browser’s incognito mode.

At this point, it was clear that this was a serious security issue.

Um, no ****, Sherlock. A well-read Shaun Nichols asks, “Quis custodiet ipsos custodes?”:

 Kaspersky’s fix addresses a privacy hole … on the heels of the monthly security patch dumps from Microsoft, Adobe, Apple, and SAP, giving admins one more update to test and install. … Kaspersky, for its part, downplayed the risk posed by the behavior but did acknowledge it had been in contact with Eikenberg and had agreed to stop including unique identifiers as part of its web antivirus tool.

A spokesperson said … “After our internal research, we have concluded that such scenarios of user’s privacy compromise are theoretically possible but are unlikely to be carried out in practice, due to their complexity and low profitability for cybercriminals.”

Wait, what? revenant gives that PR guff a big thumbs-down:

 Embedding unique IDs in pages was dumb, but these words from Kaspersky … seem particularly naive. The continuing need for products like theirs is a testament to the dedication of miscreants to the task of exploiting even the tiniest of vulnerabilities.

1/10, Must do better.

Ouch. But what was Kaspersky trying to achieve, and how can I switch it off? christose answers both:

 It’s for their URL Advisor feature. It annotates pages like Google search results with a color indicator next to each link, to show if the link is “safe” or not.

You can disable it from Options => Additional => Networking.

Wait. Pause. That doesn’t explain the UUID, as scdeimos points out:

 Stop and think about that.

Now explain why Kaspersky needs a UUID for the URL Advisor to function. Dangerous URLs are equally dangerous to all users – you don’t need to call them out for some users and not others.

But belthize wonders if we’re over-reacting a little bit:

 Karpersky is guilty … of what exactly?

Sloppy thinking but not maliciousness. … They weren’t tracking you. But because they injected your id into the page a remote site could … if the site knew about the vulnerability.

Sub-optimal? Sure. Horrifyingly terrible breach of trust? Not even a little bit.

Another worry is raised by Garach Jedao Shkan—@ClipperChip:

 Kaspersky Anti-Virus lets … servers in Russia … read all your typed URLs and URL parameters. For years.

That includes SSL because conveniently such Snake-Oil software bypasses it. … Your SSL is compromised with such software.

And S. Hossein Darvari—@xhdix—agrees:

 Kaspersky sends requests to his server every two seconds. These queries included the full URL of each browser tab.

By doing so, they logged all user activity. (What part of each site was used for how long.)

I no longer use [the] software. Because privacy is as important as security.

So what does this do to Kaspersky’s already-tarnished reputation? Nathaniel Mott muses on “UUID Injection”:

 [I] said earlier this week that improvements to Windows Defender made it hard to recommend third-party antivirus solutions for Windows 10. Knowing that Kaspersky gave website operators an easy way to track its users without their knowledge or consent makes that recommendation even harder.

People bought a tool so they could defend their systems, but instead, they got one that intentionally broadcast a unique identifier to the world.

And Finally:

Po-faced 747 pilot “exposes” Hollywood lies


You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites… so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: Евгений Валентинович Касперский (cc:by-sa)

Richi Jennings

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and CIO.com. Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 590 posts and counting.See all posts by richi