Security researchers say they discovered several vulnerabilities and security lapses in Kaspersky Lab's my.kaspersky.com web portal earlier this month, adding that the flaws exposed users to potential session hijackings and account takeovers.
According to a
new report from the cybersecurity firm LMNTRIX – shared first with SC Media – the issues primarily were found in the processes for authentication, session management and validation, and password changes. The researchers say the problems were remedied following private notification, yet Kaspersky Lab is denying that most of the issues existed in the first place.
More specifically, the LMNTRIX report notes that my.kaspersky.com suffered from a lack of protections against automated brute force and credential stuffing attacks (which can lead to an account takeover), allowed weak or default passwords (such as admin/admin), employed insecure credentials recovery processes (e.g. knowledge-based security questions), and had missing or ineffective multi-factor authentication.
Problems with the session IDs reportedly included exposed IDs in the URL, failure to rotate the IDs after a successful log-in, and a failure to invalidate a session ID after the portal visitor logs out or remains inactive for a long period of time.
In a statement provided to SC Media, Kaspersky disputes most of LMNTRIX's account, asserting that the reported vulnerabilities "were never confirmed" in the first place, and therefore no action was taken.
Kaspersky Lab is also accusing LMNTRIX of several "misperceptions," claiming that its web portal is protected against automated attacks by Google's reCAPTCHA system, that knowledge-based security questions have not been used for password recovery since April 2017, and that passwords actually require at least eight symbols, including uppercase, lowercase, and numeric characters.