Kaspersky has put its own users at risk for almost 4 years


When we install an antivirus on our computer or mobile phone, we do it, in principle, to protect ourselves from the threats that threaten us through the Internet . However, it seems that all that glitters is not gold either. At least in the case of Kaspersky, which has just been released now.

For at least four years, Kaspersky Lab's antivirus products have compromised the security of the customers who had them installed. How? Well, as has just been published, through the injection of a unique identifier code into the HTML of each of the web pages that the user visited. In this way, any site could identify a user when they use incognito mode in a browser or when they switch browsers to use Chrome, Firefox or Edge.

The information, published in c't Magazine, reveals that this code was JavaScript injected by Kaspersky on every page that the user visited. This was used to enter a green code , which represented a secure link, returned in search results. It was as follows:


A code to be tracked with, even in incognito mode

The person responsible for this finding is Ronald Eikenberg, who found the famous JavasScript injected by the antivirus that he had installed on his computer, from Kaspersky. This had generated a unique label - a kind of code with different numbers and letters (specifically 9344FDA7-AFDF-4BA0-A915-4D7EEB9A6615) - which was injected into each of the pages visited through the browser.

This also happened with any browser. He tested it with Chrome, Firefox, Edge, and Opera. And the result was always the same. In fact, the one-man code was injected into the html of the pages even when accessed from the browser in incognito mode. That same code is what those responsible for any website could use if they wanted to track it as a user.

cyber-security-3400723_1280 (1)

Kaspersky has operated for 4 years in this way

The truth is that this has not been happening for a short time. Nothing is further from reality. Kaspersky introduced the famous identifier in autumn 2015 and after Eikenberg's warning to the company itself, it stopped using it. It happened in June of this year, so Kaskpersy was using it for almost four years and in all the versions of antivirus for Windows that the company has made available to users. Also in the versions that can be downloaded for free and that are Kaspersky Internet Security and Kaspersky Total Security.

The security problem has been identified with the following code CVE-2019-8286. For experts, adding a unique identifier is a completely unnecessary option, although there are also other systems that can help identify the user, such as cookies and IP addresses . Be that as it may, we are not facing an ideal option to maintain the privacy of users.

For its part, Kaspersky has not been slow to offer a statement in which it acknowledges that the unique identifiers were eliminated, after being informed by the aforementioned journalist, who they thank for their work. They consider, however, that while identifiers can be used to identify users, cybercriminals are unlikely to track these characteristics. Firstly because it is a complex procedure and secondly because it would be unprofitable.