Skip to main content

Kaspersky antivirus exposed users to online tracking

(Image credit: Image Credit: Alexxsun)

For years, websites all over the internet were able to track visitors who are using Kaspersky’s antivirus solution (opens in new tab), but both the security firm and the media are describing this as a minor flaw and nothing more than an incident.

Earlier this week, German magazine c’t published a report in which it detailed an experiment involving Kaspersky software installed on a test laptop. As it turns out, the software injects JavaScript code onto every rendered website, regardless of the browser used.

The script has an ID number that seems to be unique for every PC.

"That's a remarkably bad idea," the report states. "Other scripts running in the context of the website domain can access the entire HTML source any time, which means they can read the Kaspersky ID. In other words, any website can read the user's Kaspersky ID and use it for tracking."

The journalist who wrote the piece, Ronald Eikenberg, notified Kaspersky, who fixed the flaw this June. It confirmed that the flaw was found in all versions of Kaspersky (opens in new tab)antivirus software that was released after late 2015. 

"Several million users must have been exposed" overall, Eikenberg reasoned.

Despite fixing the flaw relatively fast, Kaspersky (opens in new tab)downplayed the importance of this tracking ID.

"After our internal research, we have concluded that such scenarios of user's privacy compromise are theoretically possible but are unlikely to be carried out in practice, due to their complexity and low profitability for cybercriminals. Nevertheless, we are constantly working on improving our technologies and products, resulting in a change in this process. We'd like to thank Ronald Eikenberg for reporting this to us,” Kaspersky said.

Sead Fadilpašić is a freelance tech writer and journalist with more than 17 years experience writing technology-focussed news, blogs, whitepapers, reviews, and ebooks. And his work has featured in online media outlets from all over the world, including Al Jazeera Balkans (where he was a Multimedia Journalist), Crypto News, TechRadar Pro, and IT Pro Portal, where he has written news and features for over five years. Sead's experience also includes writing for inbound marketing, where he creates technology-based content for clients from London to Singapore. Sead is a HubSpot-certified content creator.