Kaspersky Antivirus flaw leaves millions open to online hack

(Image credit: Shutterstock)

Customers using Kaspersky Antivirus to protect their devices may have had their online activity tracked without their permission, experts have warned.

Millions of Kaspersky users may have had their browsing monitored for several years, a new report has said, with individual machines identified and every page visited recorded.

All of the company's antivirus products are thought to be affected by the issue, Kasperky admitted, meaning millions of users could be at risk.


The flaw was uncovered by German security journalist Ronald Eikenberg, who discovered that Kaspersky's software injected JavaScript code onto every web page rendered on every browser.

The Kaspersky JavaScript contained an ID number that was replicated in every page rendered on a single machine. The ID number was changed on other PCs.

"That's a remarkably bad idea," Eikenberg wrote in c't magazine. "Other scripts running in the context of the website domain can access the entire HTML source any time, which means they can read the Kaspersky ID. In other words, any website can read the user's Kaspersky ID and use it for tracking."

Investigating the software on a test laptop, Eikenberg found that even when other visitors came to his site using other computers, the software would read their Kasperksy ID and address them personally, even if they deleted cookies.

(Image credit: Kaspersky)

Eikenberg notified Kaspersky of the problem, with the company later confirming that the issue existed on all versions of its antivirus software.

Kaspersky has now patched all affected software, and published a security advisory alerting users to the flaw. 

If you think you've been affected, Kaspersky says the best thing to do is ensure your software is updated to the latest version, with patches available on your device or via the company's website.

"Kaspersky has changed the process of checking web pages for malicious activity by removing the usage of unique identifiers for the GET requests," the company said in a statement. This change was made after Ronald Eikenberg reported to us that using unique identifiers for the GET requests can potentially lead to the disclosure of a user’s personal information."

"After our internal research, we have concluded that such scenarios of user’s privacy compromise are theoretically possible but are unlikely to be carried out in practice, due to their complexity and low profitability for cybercriminals. Nevertheless, we are constantly working on improving our technologies and products, resulting in a change in this process."

"We’d like to thank Ronald Eikenberg for reporting this to us."

Via Tom's Guide

Mike Moore
Deputy Editor, TechRadar Pro

Mike Moore is Deputy Editor at TechRadar Pro. He has worked as a B2B and B2C tech journalist for nearly a decade, including at one of the UK's leading national newspapers and fellow Future title ITProPortal, and when he's not keeping track of all the latest enterprise and workplace trends, can most likely be found watching, following or taking part in some kind of sport.