Exclusive: Researchers say Kaspersky web portal exposed users to session hijacking, account takeover

LASER_oneXM

Level 37
Thread author
Verified
Top Poster
Well-known
Feb 4, 2016
2,520
Security researchers say they discovered several vulnerabilities and security lapses in Kaspersky Lab's my.kaspersky.com web portal earlier this month, adding that the flaws exposed users to potential session hijackings and account takeovers.

According to a new report from the cybersecurity firm LMNTRIX – shared first with SC Media – the issues primarily were found in the processes for authentication, session management and validation, and password changes. The researchers say the problems were remedied following private notification, yet Kaspersky Lab is denying that most of the issues existed in the first place.

More specifically, the LMNTRIX report notes that my.kaspersky.com suffered from a lack of protections against automated brute force and credential stuffing attacks (which can lead to an account takeover), allowed weak or default passwords (such as admin/admin), employed insecure credentials recovery processes (e.g. knowledge-based security questions), and had missing or ineffective multi-factor authentication.

Problems with the session IDs reportedly included exposed IDs in the URL, failure to rotate the IDs after a successful log-in, and a failure to invalidate a session ID after the portal visitor logs out or remains inactive for a long period of time.

In a statement provided to SC Media, Kaspersky disputes most of LMNTRIX's account, asserting that the reported vulnerabilities "were never confirmed" in the first place, and therefore no action was taken.

Kaspersky Lab is also accusing LMNTRIX of several "misperceptions," claiming that its web portal is protected against automated attacks by Google's reCAPTCHA system, that knowledge-based security questions have not been used for password recovery since April 2017, and that passwords actually require at least eight symbols, including uppercase, lowercase, and numeric characters.
 
  • Like
Reactions: harlan4096

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top