One of the hardest things to do online these days is protecting your privacy. Between tracking cookies, Facebook pixels, and the like, it can be difficult to keep websites from following you across the web. Incognito mode in your browser does an okay job of hiding your activity by preventing the cookies. Tools like PureVPN allow you to obfuscate your browsing history by adjusting your IP address, and even your global location, as you browse. Other tools, such as Tor, create an untraceable route to hide your activities. While there are certain ways to identify some users, these processes do a good job for most users.
The issue was discovered by Ronald Eikenberg, a reporter for c't, who published the story after Kaspersky was alerted to the problem. Kaspersky removed the code in an update released in June of this year, and they alerted users through a security advisory a month later. A statement from the company said,
Kaspersky has changed the process of checking webpages for malicious activity by removing the usage of unique identifiers for the GET requests. This change was made after Ronald Eikenberg reported to us that using unique identifiers for the GET requests can potentially lead to the disclosure of a user's personal information.
After our internal research, we have concluded that such scenarios of user's privacy compromise are theoretically possible but are unlikely to be carried out in practice, due to their complexity and low profitability for cybercriminals. Nevertheless, we are constantly working on improving our technologies and products, resulting in a change in this process.
We'd like to thank Ronald Eikenberg for reporting this to us.
Despite the company's belief that it was unlikely to be exploited, it is a fairly simple and financially rewarding process. If this had been discovered by others before this disclosure, it would have been easy to build a full browsing history for a unique user, which could have high value for marketers. It would also have been far more precise and less cumbersome than scanning the installed fonts, extensions, and configuration, which can also be used to identify some users, but not most, as the average user doesn't add fonts or extensions, or even change browser settings.