venustus

Level 45
Verified
Trusted
Content Creator
Kaspersky promises security and data protection. However, a data leak allowed third parties to spy on users while they were surfing the web. For years.
A strange discovery on my office computer led me to unearth an astonishing data leak caused by Kaspersky's antivirus software. Originally, I had installed the software in order to experience the promised added value during everyday use. We, journalists at c't magazine, regularly test antivirus software, and this was part of a test for our c't issue 3/2019.
The following weeks and months seemed to offer little excitement – the Kaspersky software worked essentially as well or as badly as Windows Defender. One day, however, I made a strange discovery. I looked at the HTML source code of an arbitrary website and came across the following line of code:

<script type="text/javascript" src="https://gc.kis.v2.scr.kaspersky-labs.com/9344FDA7-AFDF-4BA0-A915-4D7EEB9A6615/main.js" charset="UTF-8"></script>
Obviously, an external JavaScript script named main.js was being loaded from a Kaspersky domain. This is not uncommon, since a website nowadays hardly works without external JavaScript resources. However, when I checked the HTML source of other websites displayed in my browser, I found the strange code on each and every page. Without exception, even on the website of my bank, a script from Kaspersky was introduced. So I had an inkling that the Kaspersky software might have something to do with it.

Read
 
Last edited:

LASER_oneXM

Level 33
Verified
Kaspersky antivirus solutions injected in the web pages visited by its users an identification number unique for each system. This started in late 2015 and could be used to track a user's browsing interests. Versions of the antivirus product, paid and free, up to 2019, displayed this behavior that allows tracking regardless of the web browser used, even when users started private sessions.
 

SeriousHoax

Level 8
Verified
Malware Tester
WoW this is such a serious issue. Personally I've always disabled ""Inject script into web traffic to interact with web pages" option in Kaspersky but I do that for my own reasoning only then later found out disabling this improves browsing speed too but now it seems like every Kaspersky user must disable this feature.
After Kaspersky distributed the patch, I did not hesitate to repeat my experiments. The software still smuggles a script with an ID into each webpage – but the ID is now identical for all users of a specific Kaspersky edition: FD126C42-EBFA-4E12-B309-BB3FDD723AC1. A website can no longer recognize individual users. However, that means it is still possible to find out if a visitor has installed Kaspersky software on their system and how old that software is.
 

Local Host

Level 18
Verified
WoW this is such a serious issue. Personally I've always disabled ""Inject script into web traffic to interact with web pages" option in Kaspersky but I do that for my own reasoning only then later found out disabling this improves browsing speed too but now it seems like every Kaspersky user must disable this feature.
Not serious at all, as there's no personal information whasoever and details are exclusive to Kaspersky.

This is less serious than your IP being leaked to every website you visit (it says what country you from, your overall location and ISP), while Kaspersky was only showing a private ID (which no one has details on), they can't find out your name nor any of the details above from it.

This is being blown out of proportion, anyone who takes this seriously then needs to consider taking the IP leak, WebRTC and even User Agent seriously.
 

harlan4096

Level 62
Verified
Staff member
Malware Hunter
Not serious at all, as there's no personal information whasoever and details are exclusive to Kaspersky.

This is less serious than your IP being leaked to every website you visit (it says what country you from, your overall location and ISP), while Kaspersky was only showing a private ID (which no one has details on), they can't find out your name nor any of the details above from it.

This is being blown out of proportion, anyone who takes this seriously then needs to consider taking the IP leak, WebRTC and even User Agent seriously.
1565955036311.png


Taken from Kaspersky Community: Does Kaspersky put users at risk? [merged] | Kaspersky Community

Still I don't know if this would be possible... :unsure: :emoji_thinking:
 

ZeroDay

Level 28
Verified
Malware Tester
This isn't a security issue it's a privacy one and although it shouldn't have happened it's not serious and it's pretty much fixed. I'd like to see some sort of comparison between all vendors and how their web protection may do more harm than good including a more thorough look at Kaspersky's web protection.

@Local Host hit the nail on the head - This is less serious than your IP being leaked. And if you've got a google account, social media account etc you've got a tracking ID or maybe even multiple tracking ID's anyway.
 

Evjl's Rain

Level 43
Verified
Trusted
Content Creator
Malware Hunter
but say "This will reduce protection"
no it does not
Unchecking the option will make some modules weaker such as Safe Money, antibanner... but it doesn't affect webfilter functionality
if you use paid versions, you may consider that option but if you use free, you don't need it and should never use it
unchecking it will significantly lower resource usage. Very very noticeable speed boost on web browsing and much lower CPU usage
 

motox781

Level 8
Verified
no it does not
Unchecking the option will make some modules weaker such as Safe Money, antibanner... but it doesn't affect webfilter functionality
if you use paid versions, you may consider that option but if you use free, you don't need it and should never use it
unchecking it will significantly lower resource usage. Very very noticeable speed boost on web browsing and much lower CPU usage
Safe money will not work with it disabled.
 

Attachments

Evjl's Rain

Level 43
Verified
Trusted
Content Creator
Malware Hunter
So disabling it is a wise thing to do? It seems an essential option and it should be enabled.
as I said above, if you use paid versions, you might need to keep it because of some extra modules only availavle only in paid versions
free version only has URL advisor which requires script injection -> use alternative such as BD trafficlight -> you have both filters from the best 2 vendors

people call Kaspersky a heavy AV for a reason

I would not sacrifice the whole browsing experience (slow, sluggish and CPU hogging) for 1 or 2 modules that I don't actually use or I have alternatives
for safe money, I use incognito mode inside sandboxie (not as good as safe money) or comodo virtual desktop or browser inside comodo sandbox (better than safe money, I assume)
 

Slyguy

Level 42
Verified
I've never trusted Kaspersky. Not because of Russia, but because of Kaspersky.

Every single time I have tested that software I had 'oddities', and in multiple cases, I started having accounts/sites informing me someone was trying to access my data. It stopped when I stopped with Kaspersky. It's possible it was a coincidence, but I find it unlikely..

This script injection I always turned off when I tried it because I don't like things injecting into web pages, it's a bad idea.

Kaspersky is a bad idea IMO.
 

DeepWeb

Level 24
Verified
Patched in June. There are a billion other ways to track me on the Internet. I doubt anyone would even bother using Kaspersky's "cookies". That's what they are. Why the panic. The other AV vendors probably have them too and are rushing to hide them now that Kaspersky got exposed.