Millions of Kaspersky Antivirus users have been able to track your online activity without your permission due to a software security flaw.
The websites were able to track Kaspersky users for years, identifying individual computers and monitoring each page visited, according to a report.
All of the company's antivirus products are believed to be affected by the problem, meaning that millions of users could have been affected.
continued
The flaw was discovered by German security journalist Ronald Eikenberg, who discovered that Kaspersky software was injecting JavaScript code into every web page displayed by every browser.
The Kaspersky JavaScript code contained an identification number that was replicated on every rendered page on a single machine. The identification number has been changed on other computers.
"It's a very bad idea," Eikenberg writes in c & # 39; magazine. t. "Other scripts running in the context of the website's domain can access the HTML source at any time, which means they can read the Kaspersky identifier." , any website can read the user's Kaspersky ID and use it for tracking. "
By testing the software on a test laptop, Eikenberg found that even when other visitors were visiting his site through other computers, the software was reading their Kasperksy ID and addressing them personally, even if they cleared the cookies.
(Image credit: Kaspersky)
Eikenberg reported the problem to Kaspersky, who later confirmed that the problem existed for all versions of its antivirus software.
Kaspersky has now fixed all affected software and issued a security advisory warning users of the flaw.
If you think you have been affected, Kaspersky indicates that the best you can do is ensure that your software is updated to the latest version and that patches are available on your device or on the device's website. company.
"Kaspersky has changed the process of checking web pages for malicious activity by eliminating the use of unique identifiers for GET requests," the group said in a statement. This change was made after Ronald Eikenberg told us that the use of unique identifiers for GET requests could lead to the disclosure of a user's personal information. "
"After our internal study, we concluded that such user privacy breach scenarios are theoretically possible, but unlikely to be realized, due to their complexity and low profitability for cybercriminals, but we are constantly working to improve our technologies and products, leading to a change in this process. "
"We would like to thank Ronald Eikenberg for informing us of this."
Via Tom & # 39; s Guide