Kaspersky Labs does not enjoy the best reputation. The company has been linked to Russian intelligence, the Department of Homeland Security has banned its use in government computers, and Best Buy will not sell its products. In 2017, news broke that the Israelis had observed Russian intelligence operatives using Kaspersky software to spy on the United States. Now, an investigation of the company’s antivirus software has uncovered a major data leak that goes back to 2015.
According to German publication C’t, Kaspersky antivirus injects a Universally Unique Identifier (UUID) into the source code of every single website that you visit. This UUID value is unique to the computer and the installation of the software. The value injected into each and every website never changes, even if you use a different browser or access the internet using a browser’s Incognito Mode.
C’t found the injection because one of their antivirus software evaluators came across the same line of source code in multiple websites. Installing the application on different systems resulted in the creation of different UUID values. Assigned UUIDs didn’t change over time, indicating that they were static. And because these values are injected into the source code of every single website that you visit, it means that the sites you track can track you back. As C’t writes:
Other scripts running in the context of the website domain can access the entire HTML source any time, which means they can read the Kaspersky ID.
In other words, any website can read the user’s Kaspersky ID and use it for tracking. If the same Universally Unique Identifier comes back, or appears on another website of the same operator, they can see that the same computer is being used.
After building a proof-of-concept and testing that users with Kaspersky antivirus installed could indeed be tracked straight through incognito mode, C’t contacted Kaspersky. The flaw now has a formal name: CVE-2019-8286. Kaspersky has argued that it’s a fairly minimal problem that would require advanced techniques to exploit. Kaspersky has patched its software so that it now only injects information about which version of a Kaspersky product you use into each and every website you visit, not a unique identifier specific to your personal machine. C’t is not happy with this fix and believes it still constitutes a security risk.
C’t’s proof of concept. Image by C’t.
A bug that identifies a computer to a website that knows how to listen for that information is potentially quite valuable. Even if Kaspersky has no external database associating UUIDs with specific installations, broadcasting a UUID straight through incognito mode means that a webserver logs a visit from a specific computer. If that machine is associated with a specific individual, you’ve established a link.
Is it possible that Kaspersky simply made a terrible security decision when it implemented its antivirus software? Absolutely. The fact that a bug exists doesn’t automatically mean that someone nefarious was using it. But these types of coincidences are interesting, to say the least. Broadcasting a UUID as part of antivirus software operation is not the kind of attack avenue most of us would expect. It’s the type of fingerprinting method that an intelligence agency might be very interested in using to track who was accessing very specific websites, but not the kind of thing that a regular malware operation would have much interest in. Of course, one could also argue that this is why the bug snuck in to start with. Kaspersky’s flaw, in this reading, isn’t deliberate nefariousness; it’s an accident that reflects the company’s chief focus on stopping ordinary malware, not state actors.
I don’t know which perception is right. But I would at least suggest investigating an antivirus provider with fewer allegations of foreign intelligence cooperation if this sort of issue is a concern to you.
Windows Defender (Windows 10) Top Ranked By AV Test (2018) and https://www.tomshardware.com/news/windows-defender-perfect-scores-av-test,40139.html (2019) show that you really don't need to use a third party AV program anymore. The only real problem with it is that it's as slow as molasses in wintertime when doing a scan, taking several hours to perform a full scan even on a modern system with 6 or more processor cores and solid state drives. Third party AV tools usually also include a firewall which is far more intuitive than Windows Firewall as well.
Still given the issues which have cropped up in the last few years about some third party AV tools, be they issues like with Kaspersky or compatibility issues between them and Windows, and the "We're going to remove programs we don't think you should be using" stance of Microsoft especially when it comes to new versions, not to mention the additional cost of a third party AV program and the scareware tactics some of them have a history of using (NORTON, for example), just don't use them.
I absolutely agree!
I run Windows Defender and then load the beta versions of Malware Bytes Anti-Ransomeware and Anti-Exploit. These are the modules you pay to run in the paid version but can run them free in the ongoing betas. Major geeks or bleeping computer host safe download versions of any of your security needs. I have done this for many years now along Ublock Orgin in my browser to block malicious sites. I have almost no issues with malware as long as I keep it all up to date. A nice entry level business class router is a great addition to home security if you can swing the price.
I would be very careful loading any software that does not originate in USA and Canada or Western Europe. I would caution to do your homework there too. I have been removing malware as a professional since it's inception in the XP days and can tell you that much of the so called ANTI malware products by the very definition of malware are malware.
" much of the so called ANTI malware products by the very definition of malware are malware"
I have thought the same thing for years now. I do not use defender. I use the least intrusive, most accurate, and fastest one I can find. Currently, I am using bitdefender.
The best malware defense is to have good practices for downloads, browsing, emails, phishing, etc...
It would be nice to see how Windows Defender non-virus malware protection is since realistically most people are more at risk for cryptominers, keyloggers, and other such programs, especially since the vast majority of people do not use an adblocker or script blocker, or even use common sense about which websites they visit or programs they install.
Well it does defend against non-virus malware fine. Defender began it's life as just Malware detection it was called Giant Anti-Spyware I believe if memory serves and MS bought out the company to be able to offer it as a free add-on to XP. At the time malware was crippling pc's left and right and nobody knew what to do. With a registry change you can also have defender, defend against PUP's. Winaero tweaker is just a great utility for unlocking Windows full potential. You should check it out sometime. But you are right most malware that affects people is not Virus, in fact the most dangerous thing we do on our computer is answer phishing questions or click on any check box or prompt of any kind, like yes or no or open or close. If you start getting random popups browsing don't click anything it alt-f4 or turn off the computer if you don't know how to handle it is what I teach our staff. Cautions web browsing, email reading and document opening is to me still the best defense. But it takes many layers of protection to be safe these days. Most of the pay stuff doesn't add a thing you can't get for free and in many cases the free stuff is way better and less bloated IMHO.
There are several of those and if you use the blockers in Ublock it will block the known mining sites. I had tried a few of those mine blocking plug ins and they redirects that were not there without so I quickly uninstalled them.