New vulnerability in Kaspersky antivirus makes browsing history of millions of people public

Antivirus solutions are one of the basic protection tools for computer users; however, this software is not safe from flaws that alter the security and privacy environment. Recently, IT system audit specialists reported a new vulnerability in the antivirus software of the Russian firm Kaspersky Lab that leaked some details about preferences and customs in the users’ web browser.

For years, the antivirus of this firm injected an identifier into the HTML of the web pages visited by the user, allowing the sites to know which browser was being used and know if the private mode was enabled, it is even feared that the identifier has been leaking the browsing history of those affected. 

IT system audit expert Ronald Eikenberg discovered that this identifier, known as Kaspersky JavaScript, was injected into every page he visited, regardless of whether he was using Chrome, Edge, Firefox or any other browser. “This information may be used to track visitors to any website for marketing purposes, primarily”, the expert mentions.

Apparently this practice began at the end of 2015 and stopped a few weeks ago, meaning that for almost four years all Kaspersky Lab anti malware products leaked out these details about browser use. “Kaspersky helped create a gigantic tracking mechanism that can’t even be bypassed using the browser’s private mode,” says Eikenberg.

The security firm released an update last June, plus an alert for all its users; this behavior was reported as security vulnerability, assigning it the key CVE-2019-8286. Unfortunately this is not the only method used by websites to track their visitors. Although the most common forms of tracking are the use of IP addresses or cookies, the drivers of these web pages also use browser extensions or configuration modifications for these activities.

However, the IT system audit expert states that injecting a user ID into each website is an unnecessary feature in antivirus solutions, as well as being a violation of users’ privacy. In addition, there is the possibility that Kaspersky is not the only antivirus company that performs this practice, either carelessly or intentionally.

In this regard, Kaspersky published a statement mentioning that its web page verification process for suspicious activity has been updated. “Thanks to an internal investigation we conclude that these privacy flaws are in fact possible, although their occurrence in real-world scenarios is highly unlikely, as their exploitation requires complex hacking techniques and is not a profitable activity for the threat actors. We will keep working to provide our users with a better service,” the statement says. 

IT system audit experts from the International Institute of Cyber Security (IICS) believe that antivirus manufacturers should pay more attention to potential leaks of sensitive information that could result from use of these products, as a tool used for antimalware protection should not compromise users’ privacy.