Skip to main content

Kaspersky antivirus exposed users to online tracking

(Image credit: Image Credit: Alexxsun)

For years, websites all over the internet were able to track visitors who are using Kaspersky’s antivirus solution, but both the security firm and the media are describing this as a minor flaw and nothing more than an incident.

Earlier this week, German magazine c’t published a report in which it detailed an experiment involving Kaspersky software installed on a test laptop. As it turns out, the software injects JavaScript code onto every rendered website, regardless of the browser used.

The script has an ID number that seems to be unique for every PC.

"That's a remarkably bad idea," the report states. "Other scripts running in the context of the website domain can access the entire HTML source any time, which means they can read the Kaspersky ID. In other words, any website can read the user's Kaspersky ID and use it for tracking."

The journalist who wrote the piece, Ronald Eikenberg, notified Kaspersky, who fixed the flaw this June. It confirmed that the flaw was found in all versions of Kaspersky antivirus software that was released after late 2015. 

"Several million users must have been exposed" overall, Eikenberg reasoned.

Despite fixing the flaw relatively fast, Kaspersky downplayed the importance of this tracking ID.

"After our internal research, we have concluded that such scenarios of user's privacy compromise are theoretically possible but are unlikely to be carried out in practice, due to their complexity and low profitability for cybercriminals. Nevertheless, we are constantly working on improving our technologies and products, resulting in a change in this process. We'd like to thank Ronald Eikenberg for reporting this to us,” Kaspersky said.