Unique Kaspersky AV User ID Allowed 3rd-Party Web Tracking


Kaspersky antivirus solutions have injected a unique identification number for each device in the web pages visited by its customers. This began at the end of 2015 and could be used to monitor the interests of a user.

The paid and free versions of the anti-virus product have shown this behaviour, which enables to track regardless of the web browser used, even when customers have began private sessions.

JavaScript source fault

The problem was that JavaScript from a Kaspersky server was loaded from an address with a unique ID for each user, signalised by c’t magazine publisher Ronald Eikenberg.


On a website, the scripts can read the HTML source and pick up a Kaspersky identifier, which Eikenberg found to be unchanged on the scheme.

“In other words, any website can read the user’s Kaspersky ID and use it for tracking. If the same Universally Unique Identifier comes back, or appears on another website of the same operator, they can see that the same computer is being used.”

The script’s aim is completely valid. One of its uses is to warn consumers of the hazardous outcomes of the search by adding a checkmark next to it. Not the only antivirus to do this is Kaspersky.

Easy user tracking

Kaspersky recognized the problem and that third parties could leverage it to “possibly jeopardize user privacy by using a single product identification.” According to a July 11 memo, an attacker could make use of this by using a script on a controlled server.

Before Eikenberg reported the issue to Kaspersky, he evaluated his capacity by establishing a web site that automatically copied the Kaspersky IDs of his tourists for about half an hour.

Eikenberg claims that if this problem, now known as CVE-2019-8286, is detected and exploited, it is feasible for marketers, malicious stakeholders and visitors to profile websites to discover that user data leak years earlier.

Fix does not totally eliminate tracking

He repeated the experiment with a patched Kaspersky product and noticed that the ID is still there, but for all users of a specific Kaspersky issue it is the same, so that individual users can not be tracked any longer.

The monitoring issue persists however on a larger level, as websites can see if Kaspersky antivirus has been installed by tourists and how old it is.

“That is actually valuable information to an attacker. They may use that information to distribute malware tailored to the protection software, or to redirect the browser to a suitable scamming page,” the researcher wrote in a post today.

In a situation conceived by the attacker Eikenberg, a message could be sent to victims that their particular version of a Kaspersky product would expire and that they could extend their license with an internet buy.

One way to avoid this type of danger is to disable the traffic feature of the product using the Network menu and to disable the possibility to inject the script into internet traffic.

Kaspersky provided various customers the same solution that were not comfortable with the JavaScript antivirus injecting on the websites they visited.

Users should be conscious that the disabling of this option affects the functionality of other product parts, such as safe input, safe cash, browsing incognitoes, antibanners or parental control.

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.