Kaspersky Antivirus Software Exposed Millions to Web Tracking

Eugene Kaspersky on stage at Mobile World Congress 2017, Barcelona.
Eugene Kaspersky on stage at Mobile World Congress 2017, Barcelona. (Image credit: catwalker/Shutterstock)

UPDATED with comment from Kaspersky.

Kaspersky antivirus software let websites track users for years, a German journalist revealed today (Aug. 15).

Ronald Eikenberg of c't magazine detailed how the Kaspersky software installed on a test laptop injected JavaScript code onto every web page rendered on every browser on a test laptop. 

Even worse, the Kaspersky JavaScript contained an ID number that was replicated in every page rendered on a single machine. The ID number was changed on other PCs.

"That's a remarkably bad idea," Eikenberg wrote in the English version of his article (it's also available in German). "Other scripts running in the context of the website domain can access the entire HTML source any time, which means they can read the Kaspersky ID. In other words, any website can read the user's Kaspersky ID and use it for tracking."

You can disable the Kaspersky ID injection entirely by going into your Kaspersky software's settings, then Additional/Network, then locating Traffic Processing and unchecking "Inject script into web traffic to interact with web pages."

MORE: Best Antivirus

Eikenberg set up a website that would read the Kaspersky ID of visiting computers and display it back to them, and asked his c't colleagues to browse to his site.

"From that moment on, my test page greeted them personally whenever they opened the site -- no matter which browser they used or how often they deleted cookies," he wrote. "Even the incognito mode did not offer any protection against my Kaspersky-infused tracking. At this point, it was clear that this was a serious security issue."

Antivirus software often screens web pages against drive-by downloads and other web-based attacks, but, as Eikenberg pointed out, injecting JavaScript into all web pages may be going too far. (Other brands, however, inject code into search-results pages to add green check marks or other symbols to indicate which web links are safe.)  

Whoops, our bad

Eikenberg notified Kaspersky of the problem, and after a couple of weeks, the company confirmed that the issue existed on all versions of Kaspersky antivirus software, ranging from Kaspersky Free Anti-Virus to Kaspersky Total Security, dating back to the fall of 2015.

"Several million users must have been exposed" overall, Eikenberg reasoned.

The company downplayed the danger of the tracking ID, but nonetheless fixed it in June with a security patch for all affected Kaspersky software and published a security advisory alerting users to the flaw. 

At his request, Eikenberg said, the company also registered the bug with the Common Vulnerabilities and Exposures (CVE) bug-tracking system run by the MITRE Corporation outside Boston, so now it has its own CVE number.

Bad optics

Kasperky has been viewed with extreme suspicion by U.S. governmental agencies who fear its antivirus software could be used for espionage or sabotage on the part of the Russian government. The company's products have effectively been banned from U.S. government agencies and defense contractors. 

The German federal government has found no evidence that Kaspersky is up to any kind of no good, and we here at Tom's Guide have yet to be convinced that Kasperky software is unsafe to use for most people. But this arguably minor incident will only enhance some people's suspicions about Kaspersky.

Tom's Guide has reached out to Kaspersky for comment, and we will update this story when we receive a response.

Not out of the woods yet?

Eikenberg installed the June patch on his and his colleagues' machines, and found that Kaspersky software still injects an ID into every displayed web page. The difference is that the ID is now identical for all machines running the same version of Kaspersky software. 

Of course, "that is actually valuable information to an attacker," as Eikenberg wrote. "They may use that information to distribute malware tailored to the protection software, or to redirect the browser to a suitable scamming page."

Eikenberg has reported that to Kaspersky as a separate flaw. 

UPDATE: Kaspersky responded to our query for comment with this statement, in full:

"Kaspersky has changed the process of checking web pages for malicious activity by removing the usage of unique identifiers for the GET requests. This change was made after Ronald Eikenberg reported to us that using unique identifiers for the GET requests can potentially lead to the disclosure of a user's personal information.

"After our internal research, we have concluded that such scenarios of user's privacy compromise are theoretically possible but are unlikely to be carried out in practice, due to their complexity and low profitability for cybercriminals. Nevertheless, we are constantly working on improving our technologies and products, resulting in a change in this process. We'd like to thank Ronald Eikenberg for reporting this to us."

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.