- Multiple Kaspersky products followed a URL checking practice that enabled individual user tracking online.
- The issue has been fixed through an update that came out last month, but not all implications have been resolved.
- Users could disable the URL checking in their products and browse the Web without revealing any details about themselves.
A discovery by security researcher Ronald Eikenberg reveals that the privacy of the users of Kaspersky Anti-Virus, Kaspersky Internet Security, and Kaspersky Total Security could be compromised by a flaw that affects all of these products. The particular vulnerability was given the identifier “CVE-2019-8286”, and it affects all versions of the aforementioned products, going up to the 2019 editions. Kaspersky has acknowledged the problem upon the reception of the researcher’s report and pushed a fixing update last month, so everyone is urged to update their tools immediately.
Websites or attackers using other scripts could capture this UUID and then use it for targeted advertising purposes, extensive tracking, analytics, or malicious purposes. Long story short, the UUID compromises the privacy of the users. For his proof-of-concept demonstration, the researcher actually created a website that would grab the visitor’s Kaspersky ID. After logging a couple of test computers used by his colleagues, he showed the persistence of the tracking by serving them with personal greetings even when they used different browsers, had cleared the cookies, or even used the incognito mode to visit the demo webpage.
The way that Kaspersky fixed this is by changing the UUID to a constant value that is the same for all users. This way, there can be no separation and identification between the many thousands of Kaspersky customers. However, websites can still tell if their visitors are using a Kaspersky product or not, and this is still a concern for their privacy and security. For example, tailored malware that takes advantage of specific vulnerabilities is one example of the risk that it’s still there. Another one would be a phishing attack, urging victims to pay for a new Kaspersky license as their previous one has expired. If you’re worried about all this, you may simply disable the Kaspersky URL Advisor from the settings, but this would also mean that the suite won’t check the URLs you are visiting against their “known threats database”.
- Pandemic thriller Utopia on Amazon might be the perfect viewing
- 2021 Jaguar F-Pace refreshed with new styling, luxury and tech
- 2020 Halloween full moon: This year’s spooky spectacle brings a rare twist
- The best minimalist wallet for 2020
- NASA chief calls for prioritizing Venus after surprise find hints at alien life
- YouTube is adding a new Shorts feature to rival TikTok and Instagram Reels
- Paul Rudd, world’s youngest 51-year-old, tells fellow kids to mask up
- Jonathan Majors to join MCU as villain Kang the Conquerer, report says
- TikTok ban won’t prevent employees from being paid, US says in filing