Kaspersky Antivirus left millions of customers open to online tracking

Millions of users of Kaspersky Antivirus may have had their online activity tracked without their permission due to a software security flaw.

Websites may have been able to track Kaspersky users for years, with individual machines identified and every page visited monitored, a report has found.

All of the company's antivirus products thought to be affected by the issue, meaning millions of users could have been affected.


The flaw was uncovered by German security journalist Ronald Eikenberg, who discovered that Kaspersky's software injected JavaScript code onto every web page rendered on every browser.

The Kaspersky JavaScript contained an ID number that was replicated in every page rendered on a single machine. The ID number was changed on other PCs.

“That's a remarkably bad idea,” Eikenberg wrote in c't magazine. “Other scripts running in the context of the website domain can access the entire HTML source any time, which means they can read the Kaspersky ID. In other words, any website can read the user's Kaspersky ID and use it for tracking.”

Investigating the software on a test laptop, Eikenberg found that even when other visitors came to his site using other computers, the software would read their Kasperksy ID and address them personally, even if they deleted cookies.

Eikenberg notified Kaspersky of the problem, with the company later confirming that the issue existed on all versions of its antivirus software.

Kaspersky has now patched all affected software, and published a security advisory alerting users to the flaw. 

If you think you've been affected, Kaspersky says the best thing to do is ensure your software is updated to the latest version, with patches available on your device or via the company's website.

“Kaspersky has changed the process of checking web pages for malicious activity by removing the usage of unique identifiers for the GET requests,” the company said in a statement. This change was made after Ronald Eikenberg reported to us that using unique identifiers for the GET requests can potentially lead to the disclosure of a user’s personal information.”

“After our internal research, we have concluded that such scenarios of user’s privacy compromise are theoretically possible but are unlikely to be carried out in practice, due to their complexity and low profitability for cybercriminals. Nevertheless, we are constantly working on improving our technologies and products, resulting in a change in this process.”

“We’d like to thank Ronald Eikenberg for reporting this to us.”

Via Tom's Guide

No comments yet.

Leave a Reply

in development