Forwarded from BlackBox (Security) Archiv
Kasper-Spy: Kaspersky Anti-Virus puts users at risk
Kaspersky promises security and data protection. However, a data leak allowed third parties to spy on users while they were surfing the web. For years.
A strange discovery on my office computer led me to unearth an astonishing data leak caused by Kaspersky's antivirus software. Originally, I had installed the software in order to experience the promised added value during everyday use. We, journalists at c't magazine, regularly test antivirus software, and this was part of a test for our c't issue 3/2019.
The following weeks and months seemed to offer little excitement β the Kaspersky software worked essentially as well or as badly as Windows Defender. One day, however, I made a strange discovery. I looked at the HTML source code of an arbitrary website and came across the following line of code:
To investigate, I experimented with webbrowsers Firefox, Edge, and Opera. Again, the same line of code popped up everywhere. Since I had no suspicious browser extensions installed which could be responsible, the simple conclusion was that Kaspersky's virus protection was manipulating my traffic. Without my permission, it was injecting that code. Before that day, I had observed such behaviour only from online banking Trojans. That is malware built to manipulate bank websites, for example to secretly change the recipient of a money transfer. But what the heck was Kaspersky doing there?
My first examination of Kaspersky's script main.js showed me that, among other things, it displays green icons with Google search results if Kaspersky believes the relevant link to lead to a clean website. This could have been the end of my analysis, but there was this one small detail: The address from which the Kaspersky script was loaded contained a suspicious string:
I expanded my experiment and installed the Kaspersky software on other computers. Kaspersky also injected JavaScript on those other systems. However, I discovered a crucial difference: The UUID in the source address was different on each system. The IDs were persistent and did not change, even several days later. So it was clear that each computer had it's own permanently assigned ID.
ππΌ Read more:
https://www.heise.de/ct/artikel/Kasper-Spy-Kaspersky-Anti-Virus-puts-users-at-risk-4496138.html
#Kaspersky #AntiVirus #software #Spy #DataLeak
π‘@cRyPtHoN_INFOSEC_DE
π‘@cRyPtHoN_INFOSEC_EN
π‘@cRyPtHoN_INFOSEC_ES
Kaspersky promises security and data protection. However, a data leak allowed third parties to spy on users while they were surfing the web. For years.
A strange discovery on my office computer led me to unearth an astonishing data leak caused by Kaspersky's antivirus software. Originally, I had installed the software in order to experience the promised added value during everyday use. We, journalists at c't magazine, regularly test antivirus software, and this was part of a test for our c't issue 3/2019.
The following weeks and months seemed to offer little excitement β the Kaspersky software worked essentially as well or as badly as Windows Defender. One day, however, I made a strange discovery. I looked at the HTML source code of an arbitrary website and came across the following line of code:
<script type="text/javascript" src="https://gc.kis.v2.scr.kaspersky-labs.com/9344FDA7-AFDF-4BA0-A915-4D7EEB9A6615/main.js" charset="UTF-8"></script>Obviously, an external JavaScript script named main.js was being loaded from a Kaspersky domain. This is not uncommon, since a website nowadays hardly works without external JavaScript resources. However, when I checked the HTML source of other websites displayed in my browser, I found the strange code on each and every page. Without exception, even on the website of my bank, a script from Kaspersky was introduced. So I had an inkling that the Kaspersky software might have something to do with it.
To investigate, I experimented with webbrowsers Firefox, Edge, and Opera. Again, the same line of code popped up everywhere. Since I had no suspicious browser extensions installed which could be responsible, the simple conclusion was that Kaspersky's virus protection was manipulating my traffic. Without my permission, it was injecting that code. Before that day, I had observed such behaviour only from online banking Trojans. That is malware built to manipulate bank websites, for example to secretly change the recipient of a money transfer. But what the heck was Kaspersky doing there?
My first examination of Kaspersky's script main.js showed me that, among other things, it displays green icons with Google search results if Kaspersky believes the relevant link to lead to a clean website. This could have been the end of my analysis, but there was this one small detail: The address from which the Kaspersky script was loaded contained a suspicious string:
https://gc.kis.v2.scr.kaspersky-labs.com/9344FDA7-AFDF-4BA0-A915-4D7EEB9A6615/main.jsThe part marked bold has a characteristic pattern. The structure matches a so-called Universally Unique Identifier (UUID). These IDs are used to make things, well, uniquely identifiable. But who or what can be identified using the Kaspersky ID?
I expanded my experiment and installed the Kaspersky software on other computers. Kaspersky also injected JavaScript on those other systems. However, I discovered a crucial difference: The UUID in the source address was different on each system. The IDs were persistent and did not change, even several days later. So it was clear that each computer had it's own permanently assigned ID.
ππΌ Read more:
https://www.heise.de/ct/artikel/Kasper-Spy-Kaspersky-Anti-Virus-puts-users-at-risk-4496138.html
#Kaspersky #AntiVirus #software #Spy #DataLeak
π‘@cRyPtHoN_INFOSEC_DE
π‘@cRyPtHoN_INFOSEC_EN
π‘@cRyPtHoN_INFOSEC_ES