Kaspersky Labs does not enjoy the best reputation. The company has been linked to Russian intelligence, the Department of Homeland Security has banned its use in government computers, and Best Buy will not sell its products. In 2017, news broke that the Israelis had observed Russian intelligence operatives using Kaspersky software to spy on the United States. Now, an investigation of the company’s antivirus software has uncovered a major data leak that goes back to 2015.
According to German publication C’t, Kaspersky antivirus injects a Universally Unique Identifier (UUID) into the source code of every single website that you visit. This UUID value is unique to the computer and the installation of the software. The value injected into each and every website never changes, even if you use a different browser or access the internet using a browser’s Incognito Mode.
C’t found the injection because one of their antivirus software evaluators came across the same line of source code in multiple websites. Installing the application on different systems resulted in the creation of different UUID values. Assigned UUIDs didn’t change over time, indicating that they were static. And because these values are injected into the source code of every single website that you visit, it means that the sites you track can track you back. As C’t writes:
Other scripts running in the context of the website domain can access the entire HTML source any time, which means they can read the Kaspersky ID.
In other words, any website can read the user’s Kaspersky ID and use it for tracking. If the same Universally Unique Identifier comes back, or appears on another website of the same operator, they can see that the same computer is being used.
After building a proof-of-concept and testing that users with Kaspersky antivirus installed could indeed be tracked straight through incognito mode, C’t contacted Kaspersky. The flaw now has a formal name: CVE-2019-8286. Kaspersky has argued that it’s a fairly minimal problem that would require advanced techniques to exploit. Kaspersky has patched its software so that it now only injects information about which version of a Kaspersky product you use into each and every website you visit, not a unique identifier specific to your personal machine. C’t is not happy with this fix and believes it still constitutes a security risk.
C’t’s proof of concept. Image by C’t.
A bug that identifies a computer to a website that knows how to listen for that information is potentially quite valuable. Even if Kaspersky has no external database associating UUIDs with specific installations, broadcasting a UUID straight through incognito mode means that a webserver logs a visit from a specific computer. If that machine is associated with a specific individual, you’ve established a link.
Is it possible that Kaspersky simply made a terrible security decision when it implemented its antivirus software? Absolutely. The fact that a bug exists doesn’t automatically mean that someone nefarious was using it. But these types of coincidences are interesting, to say the least. Broadcasting a UUID as part of antivirus software operation is not the kind of attack avenue most of us would expect. It’s the type of fingerprinting method that an intelligence agency might be very interested in using to track who was accessing very specific websites, but not the kind of thing that a regular malware operation would have much interest in. Of course, one could also argue that this is why the bug snuck in to start with. Kaspersky’s flaw, in this reading, isn’t deliberate nefariousness; it’s an accident that reflects the company’s chief focus on stopping ordinary malware, not state actors.
I don’t know which perception is right. But I would at least suggest investigating an antivirus provider with fewer allegations of foreign intelligence cooperation if this sort of issue is a concern to you.