Browser add-ons from various antivirus vendors are spying on you
According to a report by penetration tester Mike Kuketz, the browser add-ons of some antivirus vendors transfer far too much data. The extensions from Avast, Avira, Bitdefender, Comodo and Symantec transfer the full URL of the visited websites.
The freelance penetration tester Mike Kuketz has taken a critical look at the browser extensions of various antivirus manufacturers in recent days.
Kuketz found that the extensions:π
βοΈAvast Online Security from Avast
βοΈAvira Browser Safety from Avira
βοΈBitdefender TrafficLight for Firefox by Bitdefender
βοΈOnline Security Pro by Comodo
βοΈNorton Safe Web from Symantec
transfer the complete Internet address of the visited web pages to the server of the respective manufacturer. This is usually justified by the companies with the fact that one can recognize dangerous web pages (Phishing etc.) with it and block automatically. According to Kuketz, it would be sufficient to simply transfer the domain name. Then the manufacturers would find out far less about the surfing behaviour of their customers. The current implementation is "not particularly data protection-friendly".
β οΈAvast Online Security generates a unique user ID
Avast Online Security also assigns each user a unique user ID so that Avast can recognize them at any time. A lot of transferred data also means that in theory it would be possible to use the information as a sham. In this context, Kuketz rightly refers to the scandal when it became known that the Firefox add-on "Web of Trust" had spied on millions of users - including some members of the German Bundestag. By the end of 2016, NDR journalists had revealed how a million-dollar business had been generated from the collected data.
β Tipp
Just check your own browser for all installed extensions, that doesn't cost us five minutes of our precious lifetime! Everything you don't use regularly should be thrown out immediately! The less extensions are installed, the better. The best data is no data. If no data is collected, no one can use it. Otherwise we will soon be "naked on the net" again, as we were in November 2016. Who wants that?
π https://www.kuketz-blog.de/browser-add-ons-wie-antiviren-hersteller-ihre-nutzer-ausspionieren/
π https://t.me/cRyPtHoN_INFOSEC_DE/2021
#AntiVirus #Browser #Addons
π‘ @cRyPtHoN_INFOSEC_DE
π‘ @cRyPtHoN_INFOSEC_EN
According to a report by penetration tester Mike Kuketz, the browser add-ons of some antivirus vendors transfer far too much data. The extensions from Avast, Avira, Bitdefender, Comodo and Symantec transfer the full URL of the visited websites.
The freelance penetration tester Mike Kuketz has taken a critical look at the browser extensions of various antivirus manufacturers in recent days.
Kuketz found that the extensions:π
βοΈAvast Online Security from Avast
βοΈAvira Browser Safety from Avira
βοΈBitdefender TrafficLight for Firefox by Bitdefender
βοΈOnline Security Pro by Comodo
βοΈNorton Safe Web from Symantec
transfer the complete Internet address of the visited web pages to the server of the respective manufacturer. This is usually justified by the companies with the fact that one can recognize dangerous web pages (Phishing etc.) with it and block automatically. According to Kuketz, it would be sufficient to simply transfer the domain name. Then the manufacturers would find out far less about the surfing behaviour of their customers. The current implementation is "not particularly data protection-friendly".
β οΈAvast Online Security generates a unique user ID
Avast Online Security also assigns each user a unique user ID so that Avast can recognize them at any time. A lot of transferred data also means that in theory it would be possible to use the information as a sham. In this context, Kuketz rightly refers to the scandal when it became known that the Firefox add-on "Web of Trust" had spied on millions of users - including some members of the German Bundestag. By the end of 2016, NDR journalists had revealed how a million-dollar business had been generated from the collected data.
But back to the browser add-ons: Would it have to be clarified whether the users are fully informed by the manufacturers? After all, their complete surfing behavior is logged. It is also questionable what happens to all the recorded data afterwards! Are they simply deleted?β Tipp
Just check your own browser for all installed extensions, that doesn't cost us five minutes of our precious lifetime! Everything you don't use regularly should be thrown out immediately! The less extensions are installed, the better. The best data is no data. If no data is collected, no one can use it. Otherwise we will soon be "naked on the net" again, as we were in November 2016. Who wants that?
π https://www.kuketz-blog.de/browser-add-ons-wie-antiviren-hersteller-ihre-nutzer-ausspionieren/
π https://t.me/cRyPtHoN_INFOSEC_DE/2021
#AntiVirus #Browser #Addons
π‘ @cRyPtHoN_INFOSEC_DE
π‘ @cRyPtHoN_INFOSEC_EN
Most antivirus apps do absolutely nothing
Some of the Android apps in the Google Play store were so ineffective that they detected themselves as malware
Two thirds of Android antivirus apps that appear in the Google Play store provide no protection for devices, tests have revealed.
Researchers at the Austrian antivirus testing firm AV-Comparatives analysed 250 apps claiming to offer security for Android smartphones and tablets.
Their results found that less than a third of them managed to detect even 30 per cent of the malicious apps released in 2018, while 80 of the apps tested failed to meet the firm's most basic requirements for cyber security.
"Some of the Android security products in our test blocked so few of the malware samples β in some cases literally none β that they cannot reasonably be described as anti-malware apps," stated a report of the findings.
The tests found that some apps in the Google Play store were so ineffective that they detected themselves as malware.
https://www.av-comparatives.org/tests/android-test-2019-250-apps/
https://www.independent.co.uk/life-style/gadgets-and-tech/news/android-antivirus-app-fake-google-play-a8827816.html
π‘ @NoGoolag
#google #playstore #antivirus #ineffective #fake #malware
Some of the Android apps in the Google Play store were so ineffective that they detected themselves as malware
Two thirds of Android antivirus apps that appear in the Google Play store provide no protection for devices, tests have revealed.
Researchers at the Austrian antivirus testing firm AV-Comparatives analysed 250 apps claiming to offer security for Android smartphones and tablets.
Their results found that less than a third of them managed to detect even 30 per cent of the malicious apps released in 2018, while 80 of the apps tested failed to meet the firm's most basic requirements for cyber security.
"Some of the Android security products in our test blocked so few of the malware samples β in some cases literally none β that they cannot reasonably be described as anti-malware apps," stated a report of the findings.
The tests found that some apps in the Google Play store were so ineffective that they detected themselves as malware.
https://www.av-comparatives.org/tests/android-test-2019-250-apps/
https://www.independent.co.uk/life-style/gadgets-and-tech/news/android-antivirus-app-fake-google-play-a8827816.html
π‘ @NoGoolag
#google #playstore #antivirus #ineffective #fake #malware
Forwarded from BlackBox (Security) Archiv
Kasper-Spy: Kaspersky Anti-Virus puts users at risk
Kaspersky promises security and data protection. However, a data leak allowed third parties to spy on users while they were surfing the web. For years.
A strange discovery on my office computer led me to unearth an astonishing data leak caused by Kaspersky's antivirus software. Originally, I had installed the software in order to experience the promised added value during everyday use. We, journalists at c't magazine, regularly test antivirus software, and this was part of a test for our c't issue 3/2019.
The following weeks and months seemed to offer little excitement β the Kaspersky software worked essentially as well or as badly as Windows Defender. One day, however, I made a strange discovery. I looked at the HTML source code of an arbitrary website and came across the following line of code:
To investigate, I experimented with webbrowsers Firefox, Edge, and Opera. Again, the same line of code popped up everywhere. Since I had no suspicious browser extensions installed which could be responsible, the simple conclusion was that Kaspersky's virus protection was manipulating my traffic. Without my permission, it was injecting that code. Before that day, I had observed such behaviour only from online banking Trojans. That is malware built to manipulate bank websites, for example to secretly change the recipient of a money transfer. But what the heck was Kaspersky doing there?
My first examination of Kaspersky's script main.js showed me that, among other things, it displays green icons with Google search results if Kaspersky believes the relevant link to lead to a clean website. This could have been the end of my analysis, but there was this one small detail: The address from which the Kaspersky script was loaded contained a suspicious string:
I expanded my experiment and installed the Kaspersky software on other computers. Kaspersky also injected JavaScript on those other systems. However, I discovered a crucial difference: The UUID in the source address was different on each system. The IDs were persistent and did not change, even several days later. So it was clear that each computer had it's own permanently assigned ID.
ππΌ Read more:
https://www.heise.de/ct/artikel/Kasper-Spy-Kaspersky-Anti-Virus-puts-users-at-risk-4496138.html
#Kaspersky #AntiVirus #software #Spy #DataLeak
π‘@cRyPtHoN_INFOSEC_DE
π‘@cRyPtHoN_INFOSEC_EN
π‘@cRyPtHoN_INFOSEC_ES
Kaspersky promises security and data protection. However, a data leak allowed third parties to spy on users while they were surfing the web. For years.
A strange discovery on my office computer led me to unearth an astonishing data leak caused by Kaspersky's antivirus software. Originally, I had installed the software in order to experience the promised added value during everyday use. We, journalists at c't magazine, regularly test antivirus software, and this was part of a test for our c't issue 3/2019.
The following weeks and months seemed to offer little excitement β the Kaspersky software worked essentially as well or as badly as Windows Defender. One day, however, I made a strange discovery. I looked at the HTML source code of an arbitrary website and came across the following line of code:
<script type="text/javascript" src="https://gc.kis.v2.scr.kaspersky-labs.com/9344FDA7-AFDF-4BA0-A915-4D7EEB9A6615/main.js" charset="UTF-8"></script>Obviously, an external JavaScript script named main.js was being loaded from a Kaspersky domain. This is not uncommon, since a website nowadays hardly works without external JavaScript resources. However, when I checked the HTML source of other websites displayed in my browser, I found the strange code on each and every page. Without exception, even on the website of my bank, a script from Kaspersky was introduced. So I had an inkling that the Kaspersky software might have something to do with it.
To investigate, I experimented with webbrowsers Firefox, Edge, and Opera. Again, the same line of code popped up everywhere. Since I had no suspicious browser extensions installed which could be responsible, the simple conclusion was that Kaspersky's virus protection was manipulating my traffic. Without my permission, it was injecting that code. Before that day, I had observed such behaviour only from online banking Trojans. That is malware built to manipulate bank websites, for example to secretly change the recipient of a money transfer. But what the heck was Kaspersky doing there?
My first examination of Kaspersky's script main.js showed me that, among other things, it displays green icons with Google search results if Kaspersky believes the relevant link to lead to a clean website. This could have been the end of my analysis, but there was this one small detail: The address from which the Kaspersky script was loaded contained a suspicious string:
https://gc.kis.v2.scr.kaspersky-labs.com/9344FDA7-AFDF-4BA0-A915-4D7EEB9A6615/main.jsThe part marked bold has a characteristic pattern. The structure matches a so-called Universally Unique Identifier (UUID). These IDs are used to make things, well, uniquely identifiable. But who or what can be identified using the Kaspersky ID?
I expanded my experiment and installed the Kaspersky software on other computers. Kaspersky also injected JavaScript on those other systems. However, I discovered a crucial difference: The UUID in the source address was different on each system. The IDs were persistent and did not change, even several days later. So it was clear that each computer had it's own permanently assigned ID.
ππΌ Read more:
https://www.heise.de/ct/artikel/Kasper-Spy-Kaspersky-Anti-Virus-puts-users-at-risk-4496138.html
#Kaspersky #AntiVirus #software #Spy #DataLeak
π‘@cRyPtHoN_INFOSEC_DE
π‘@cRyPtHoN_INFOSEC_EN
π‘@cRyPtHoN_INFOSEC_ES
Forwarded from BlackBox (Security) Archiv
Exploiting (Almost) Every Antivirus Software
Summary
Antivirus software is supposed to protect you from malicious threats, but what if that protection could be silently disabled before a threat can even be neutralized? What if that protection could be manipulated to perform certain file operations that would allow the operating system to be compromised or simply rendered unusable by an attacker?
RACK911 Labs has come up with a unique but simple method of using directory junctions (Windows) and symlinks (macOS & Linux) to turn almost every antivirus software into self-destructive tools.
Method of Exploitation
Most antivirus software works in a similar fashion: When an unknown file is saved to the hard drive, the antivirus software will usually perform a βreal time scanβ either instantly or within a couple of minutes. If the unknown file is determined to be a suspected threat, the file will then be automatically quarantined and moved to a secure location pending further user instructions or it will simply be deleted.
Given the nature of how antivirus software has to operate, almost all of them run in a privileged state meaning the highest level of authority within the operating system. Therein lies a fundamental flaw as the file operations are (almost) always performed at the highest level which opens the door to a wide range of security vulnerabilities and various race conditions.
What most antivirus software fail to take into consideration is the small window of time between the initial file scan that detects the malicious file and the cleanup operation that takes place immediately after. A malicious local user or malware author is often able to perform a race condition via a directory junction (Windows) or a symlink (Linux & macOS) that leverages the privileged file operations to disable the antivirus software or interfere with the operating system to render it useless, etc.
ππΌ Read more:
https://www.rack911labs.com/research/exploiting-almost-every-antivirus-software/
#exploiting #antivirus #RACK911
π‘@cRyPtHoN_INFOSEC_DE
π‘@cRyPtHoN_INFOSEC_EN
π‘@BlackBox_Archiv
Summary
Antivirus software is supposed to protect you from malicious threats, but what if that protection could be silently disabled before a threat can even be neutralized? What if that protection could be manipulated to perform certain file operations that would allow the operating system to be compromised or simply rendered unusable by an attacker?
RACK911 Labs has come up with a unique but simple method of using directory junctions (Windows) and symlinks (macOS & Linux) to turn almost every antivirus software into self-destructive tools.
Method of Exploitation
Most antivirus software works in a similar fashion: When an unknown file is saved to the hard drive, the antivirus software will usually perform a βreal time scanβ either instantly or within a couple of minutes. If the unknown file is determined to be a suspected threat, the file will then be automatically quarantined and moved to a secure location pending further user instructions or it will simply be deleted.
Given the nature of how antivirus software has to operate, almost all of them run in a privileged state meaning the highest level of authority within the operating system. Therein lies a fundamental flaw as the file operations are (almost) always performed at the highest level which opens the door to a wide range of security vulnerabilities and various race conditions.
What most antivirus software fail to take into consideration is the small window of time between the initial file scan that detects the malicious file and the cleanup operation that takes place immediately after. A malicious local user or malware author is often able to perform a race condition via a directory junction (Windows) or a symlink (Linux & macOS) that leverages the privileged file operations to disable the antivirus software or interfere with the operating system to render it useless, etc.
ππΌ Read more:
https://www.rack911labs.com/research/exploiting-almost-every-antivirus-software/
#exploiting #antivirus #RACK911
π‘@cRyPtHoN_INFOSEC_DE
π‘@cRyPtHoN_INFOSEC_EN
π‘@BlackBox_Archiv