Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Privacy Security IT

Unique Kaspersky AV User ID Allowed 3rd-Party Web Tracking (bleepingcomputer.com) 16

Kaspersky antivirus solutions injected in the web pages visited by its users an identification number unique for each system. This started in late 2015 and could be used to track a user's browsing interests. From a report: Versions of the antivirus product, paid and free, up to 2019, displayed this behavior that allows tracking regardless of the web browser used, even when users started private sessions. Signaled by c't magazine editor Ronald Eikenberg, the problem was that a JavaScript from a Kaspersky server loaded from an address that included a unique ID for every user. Scripts on a website can read the HTML source and glean the Kaspersky identifier, which Eikenberg determined to remain unchanged on the system.
This discussion has been archived. No new comments can be posted.

Unique Kaspersky AV User ID Allowed 3rd-Party Web Tracking

Comments Filter:
  • by ctilsie242 ( 4841247 ) on Thursday August 15, 2019 @02:40PM (#59091038)

    I remember some ISPs injecting a unique tag into HTTP headers. However, an AV program is worse, as it can inject the headers before SSL/TLS, and might even be able to carry some info with them.

    I have no clue why Kaspersky would do this, as they have a very good name when it comes to security and AV. This doesn't provide security for the users, but in fact weakens it.

    • Re: (Score:3, Informative)

      by christose ( 866872 )

      It's for their URL Advisor feature. It annotates pages like Google search results with a color indicator next to each link, to show if the link is "safe" or not. In my version of Kaspersky Antivirus You can disable it from Options => Additional => Networking.

    • Putin made 'em do it

  • by QuietLagoon ( 813062 ) on Thursday August 15, 2019 @02:43PM (#59091050)
    imo, that's the reason it was done - tracking.
  • by account_deleted ( 4530225 ) on Thursday August 15, 2019 @02:48PM (#59091096)
    Comment removed based on user account deletion
    • Guilty of what exactly ?

      The summary is wildly misleading vs the article. Karpersky is guilty of sloppy thinking but not maliciousness. They weren't tracking you. But because they injected your id into the page a remote site could track you.

      So a site could track the IDs of those visitors who visited their site who used Kapersky *if* the site knew about the vulnerability.

      Sub-optimal ? Sure

      Horrifyingly terrible breach of trust ? Not even a little bit.

      • Re:Modest proposal (Score:4, Insightful)

        by 110010001000 ( 697113 ) on Thursday August 15, 2019 @03:04PM (#59091188) Homepage Journal

        "They weren't tracking you."
         
        People are weird. How do you know they weren't tracking you? How do you know anything about what they do? It is completely closed and proprietary software. They could be doing anything they want.

        • They probably were tracking you but this mechanism didn't give them the ability to track you. It gave a site, any site that wasn't Kapersky, the ability to correlate your traffic to their site with traffic to some other site where they could cross reference your unique Kapersky id.

          The only way Kapersky could use this to track you was if they controlled every site you visited. Doesn't mean they weren't tracking you, it means they weren't using this to do it.

          • So, you're saying they should close the loop by providing a service for website operators that happens to send events to Kapersky for "analysis" (along with your tracking ID)?

            I'll be off now.

      • To me, it is a horrifying breach of trust just that they would even hire someone stupid enough to think this would have ever been okay. And I do advocate federal penalties for anyone caught doing this on purpose, if malicious intent can be proven. And I do think malicious intent was involved due to the fact they should have known better in the first place. But I don't think it will be proven, and even if it were, as a foreign company we have very little recourse against Kapersky in the first place.

        Regard

    • Comment removed based on user account deletion
  • Kaspersky is Russian (Score:4, Interesting)

    by couchslug ( 175151 ) on Thursday August 15, 2019 @02:52PM (#59091118)

    therefore an organ of the Kremlin. That cannot be otherwise or they'd be out of business.

  • Yes they have a good reputation but it is still worth being very careful with their "free" product.
  • by epine ( 68316 ) on Thursday August 15, 2019 @03:15PM (#59091246)

    You can't possibly do this without knowing deep in your bones that the ID is uniquely trackable, and that the user has neither been consulted or proactively informed.

  • by fustakrakich ( 1673220 ) on Thursday August 15, 2019 @04:42PM (#59091558) Journal

    Time to ban it. And what the hell, let's take out CSS too.

    *Make The Web HTML Again!*

You know you've landed gear-up when it takes full power to taxi.

Working...