Cross Site Flaw in Kaspersky Antivirus Exposes User’s Activity


Some days ago, an independent security researcher Ronald Eikenberg, reported a Cross Site Flaw in Kaspersky Antivirus. The researcher found that a unique identifier used by Kaspersky Antivirus is affiliated with its users and it can track all the visited websites by the user in the past four years. The vulnerability is present in the URL scanning module that is called Kaspersky URL Advisor for the antivirus program.

This vulnerability present in the Kaspersky Antivirus could allow other websites and third-party services to track the user’s history with the help of this flaw. They can track your web history even if you are erasing your third party cookies from the browser.

How does it Work

The following vulnerability is designated as CVE-2019-8286. Kaspersky Internet solutions inject a JavaScript file directly to the source code of all their web pages. So, when a user visits their site, a unique string is allocated to the user that enables Kaspersky to track the user’s web browsing history.

As every user is given a string that is used for tracking purposes by Kaspersky, but the problem arises that other websites can easily steal that string and they can use it to disturb the user’s privacy and for other analytics services.


According to a security researcher, it is not a great idea to allocate a string permanently to every user. Other scripts running on the web pages can easily read the source code of the websites, and they can easily fetch and track user’s web history by using Kaspersky ID.

It’s not only Kaspersky, but a lot of other service providers also use the same method to track the malicious content on the web pages.


Patching the Issue

The security researcher Ronald Eikenberg reported the issue to the Kaspersky security team, and they just fixed the issue last month by appointing a stable value (FD126C42-EBFA-4E12-B309-BB3FDD723AC1) to all users instead of different strings.

The other third party sites can still check if the Kaspersky software is installed on the user’s system or not on which security researchers revealed.

The issue is now fixed, and the user’s privacy is no more at risk, but the tracking JavaScript code is still there on Kaspersky’s website. Users can disable that functionality if they want to.


You can manually disable the tracking script by going to settings → additional → network → uncheck the box where Traffic processing is written, as demonstrated in the screenshot.

Tell us what you think!

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: