I heard a bug in Kaspersky products could be used for spying. Is that true?

The truth about the recently discovered — and already fixed — bug in Kaspersky consumer products.

You may have heard that Kaspersky spies on its clients or helps other spy on them. Some such allegations we have already addressed, but recently a new case emerged, saying that Kaspersky exposed users to cross-site tracking. We address the flap in this short post.

What happened?

A journalist named Ronald Eikenberg from c’t magazine reported that Kaspersky consumer products used unique identifiers in scripts when users visited sites on the Internet, and that those could’ve potentially been used to identify the users.

The problem (which goes by the name CVE-2019-8286) affected Kaspersky Internet Security 2019, Kaspersky Total Security 2019, Kaspersky Anti-Virus 2019, Kaspersky Small Office Security 6, and Kaspersky Free Antivirus 2019, as well as earlier versions of these software packages. Eikenberg contacted us, and we made sure to fix the problem. The corresponding patch for all affected products was issued in June, and a huge number of users have already updated the product.

What was the problem?

Basically, almost each page a user of Kaspersky consumer product loads is appended with code, that, among other things, contains a 32-character code unique to the user — and that code remained the same for that particular user across all of those Web pages.

That could potentially allow owners of the sites that host these pages to track if a specific user of Kaspersky products visited one or another of their sites, and, perhaps, revisited them later. For such tracking to work, however —and it would work, even in incognito mode — would require an exchange of information between sites.

Is it fixed now?

Yes, we released a patch on June 7, 2019, that addresses this problem. It was automatically delivered to users of all affected products, so there’s no need to do anything to apply the fix — it’s already there, if your computer has connected to the Internet since that time and if you allowed the product to update.

All updated Kaspersky consumer products give all users the same set of identifiers, so all they give away is the type of product used (be it Kaspersky Anti-Virus, Kaspersky Internet Security, or something else). They are not unique to any particular person, so they cannot be used for tracking.

Why was that happening?

To detect potentially malicious scripts on Web pages before they start running, Kaspersky products inject a JavaScript code into the page while it’s loading. That feature is not unique to Kaspersky products; it’s just how Web antiviruses work. And our JavaScript code included that identifier, previously unique but now changed to be the same for every user.

Why isn’t it a big deal, though?

Sometimes media amplify problems to attract attention. That’s what happened in this case. Theoretically this problem has real potential implications. Here are three of them.

The first one is what we described above: Marketers could’ve theoretically used those IDs to target people visiting their websites. That said, any profile they could’ve built would’ve been very slim. It is significantly easier to rely on real advertising systems such as Facebook’s or Google’s to track users, and those systems provide more information about the user to the marketer. And that’s what most website owners do. So there is just no reason to use those IDs from security solutions for that purpose.

The second is that a malefactor could’ve harvested those addresses and built malware that targets only users of Kaspersky products — and spread it among them. The same is true of every program that changes Web page code on the user side. That scenario is highly unlikely; an attacker would need not only to create such malware, but also to deliver and run it. That would require luring the user onto a malicious website, but our antiphishing and Web antivirus keep users away from malicious websites.

The third: A database of website visitors could’ve been used for phishing. That’s the most reasonable implication. Yet again, however, it would be a bad choice for a malefactor. Using publicly available information or recent leaks would be much easier.

In any case, no one observed any malicious activity abusing these unique IDs. And now that the problem is fixed, it’s too late for malefactors to jump on that train.

So, yes, “Kaspersky allows spying” is a hyped-up statement. There was a bug that could possibly have allowed some very unlikely tracking from third parties to a very limited extent, but it’s fixed now.

What should I do?

Applying the fix is as easy as letting your security solution update itself, something we recommend as a matter of course.

  • Check if your Kaspersky security solution is updated. It probably is, but in case it isn’t, we recommend you update it so that it can protect you optimally. To update the product, click on its icon in the system tray and select Update from the menu. Users of 2020 Kaspersky products should do so as well; early versions need patching to fix the issue.
  • In case you’re still worried about websites’ knowing you use a Kaspersky solution, turn off script injection. To do so, go to Settings, then Network Settings. Uncheck the Inject script into web traffic to interact with web pages option under Traffic processing. Keep in mind, however, that doing so decreases your level of protection, and we do not recommend it.