Russian security firm Kaspersky made tracking users online easier - The UpStream

Russian security firm Kaspersky made tracking users online easier

posted Saturday Aug 17, 2019 by Scott Ertz

Russian security firm Kaspersky made tracking users online easier

One of the hardest things to do online these days is protecting your privacy. Between tracking cookies, Facebook pixels, and the like, it can be difficult to keep websites from following you across the web. Incognito mode in your browser does an okay job of hiding your activity by preventing the cookies. Tools like PureVPN allow you to obfuscate your browsing history by adjusting your IP address, and even your global location, as you browse. Other tools, such as Tor, create an untraceable route to hide your activities. While there are certain ways to identify some users, these processes do a good job for most users.

However, another security tool created a scenario that made tracing user activity incredibly easy. Since 2015, Kaspersky Anti-Virus has injected a small block of JavaScript into every page you visit in an attempt to identify safe links on pages, including search results. However, the code included a unique identifier, making it very easy for a website to read the injected JavaScript and identify the user. The UUID was consistent across browsers, including Chrome, Edge, and Firefox, and was present even in incognito mode. That means that switching browsers or entering incognito did not prevent the ability to track.

The issue was discovered by Ronald Eikenberg, a reporter for c't, who published the story after Kaspersky was alerted to the problem. Kaspersky removed the code in an update released in June of this year, and they alerted users through a security advisory a month later. A statement from the company said,

Kaspersky has changed the process of checking webpages for malicious activity by removing the usage of unique identifiers for the GET requests. This change was made after Ronald Eikenberg reported to us that using unique identifiers for the GET requests can potentially lead to the disclosure of a user's personal information.

After our internal research, we have concluded that such scenarios of user's privacy compromise are theoretically possible but are unlikely to be carried out in practice, due to their complexity and low profitability for cybercriminals. Nevertheless, we are constantly working on improving our technologies and products, resulting in a change in this process.

We'd like to thank Ronald Eikenberg for reporting this to us.

Despite the company's belief that it was unlikely to be exploited, it is a fairly simple and financially rewarding process. If this had been discovered by others before this disclosure, it would have been easy to build a full browsing history for a unique user, which could have high value for marketers. It would also have been far more precise and less cumbersome than scanning the installed fonts, extensions, and configuration, which can also be used to identify some users, but not most, as the average user doesn't add fonts or extensions, or even change browser settings.


Login to CommentWhat You're Saying

Be the first to comment!

We're live now - Join us!



Forgot password? Recover here.
Not a member? Register now.
Blog Meets Brand Stats