
Kaspersky AV injected unique ID allowing sites to track users in incognito mode - r0nny
https://heise.de/-4496138
======
tempsolution
Interesting. I think its time to get rid of this junk. I always had a bad
feeling about AVs, due to repeated "extra vulnerabilities" they seemed to
introduce, while not providing measurable added value compared to Windows
Defender.

That Kaspersky is apparently too stupid to fix this leak properly even after
it was pointed out, suggests to me that their developers obviously are
incompetent and the trust int hem doing AV right is approaching zero, if they
can't even load a script into a website without leaking like the Iraqi marine.

~~~
mirimir
Indeed.

But then, I don't trust Microsoft, either.

In Debian, I can be reasonably confident that no information leaves the system
without my authorization.

Edit: Just out of curiosity, am I wrong in mistrusting Microsoft, or in
trusting Debian?

~~~
the_duke
You are wrong about trusting Linux.

Linux would badly need AV if it was a more popular desktop OS. Right now the
user base is just too small to be a valuable target.

A regular Linux distro (without SELinux or some kind of application sandboxing
and a hardened setup including NOEXEC home, forbidding ptrace, ...) is very
susceptible to compromise.

All it takes is somehow getting the system to execute one unprivileged shell
script and your user is permanently hosed.

An attacker can spy on everything, including other applications memory, unless
they prevent it. Browsers are also easily compromised by just injecting a
extension that can spy on everything.

Also he lack of dynamic firewalls makes it hard to monitor/prevent unwanted
network traffic. (which could often be easily circumvented, though)

~~~
codedokode
Yes, Linux distributions don't have protection against malicious software. If
you downloaded thrid-party program and run it, it can read everything from
your home directory, including cookies and browser history, it can inject
itself into browser process, it can see everything you type.

And if you decided to add third-party apt repository, for example, to use
Node.JS or VS Code, you give permanent root access to the owner of repository.
Also, some third-party .deb packages (for example, Slack) automatically add
their repository and public key to apt sources list upon installation.

For example, there is a third-party repository, that allows installing
multiple versions of PHP in Debian. This repository replaces cryptographic
libraries provided by Debian with its own ones (you can see those packages
here:
[https://packages.sury.org/php/pool/main/o/openssl/](https://packages.sury.org/php/pool/main/o/openssl/)
)

Also, in Linux unprivileged program, run under "nobody" account, can read all
unique hardware identifiers like MAC address, HDD serial number etc.

------
zaarn
Their fix is apparently to not leak machine-unique UUIDs but UUIDs unique to
the version of the AV. Thanks Kaspersky for leaking if the users AV is
vulnerable to exploits!

~~~
lonelappde
That's not really a big deal. The attackers can just be indiscriminate and hit
a good number of vulnerable instances. And it's already pretty standard for
clients to send used agent versions.

~~~
zaarn
Well, it is, because you can now deploy much more targetted payloads, which
means you can hit even more instances with a little bit of extra work,
comparatively.

------
Skunkleton
Honest question: what is AV even for these days? I have had some form of AV on
all of my Windows machines since the 90's. I don't think I have seen a
detection in at least ten years.

~~~
HeavenFox
Every single company I worked for installed AV on our work computers, which
was a huge resource hog and made the highest-specced MacBook Pros feel like
cheap netbook.

I suspect it is mandated by some sort of compliance requirement, and the IT
departments are just ticking a box. Maybe that's how this industry is still
alive.

~~~
hawski
Reading sibling comments I have an idea for a startup.

Make an AV, that does not really do anything, but can be used by thoughtful
companies to "tick the box". Sell licenses and then do only the minimum
required for compliance.

It could be described that it uses Windows Defender service to provide the
basis of AV solution.

~~~
brownbat
An AV that alarmed on unpatched vulnerabilities might be better. Attackers
will resignature their code to evade everything on VT, then spam the world to
hit whoever hasn't patched.

For ransomware anyway. If they're targeting you specifically they'll find out
what you're running and customize against it.

~~~
Skunkleton
A vulnerability scanner would be welcome. I would even run something like that
on my linux machines.

------
Buge
Previous discussion:
[https://news.ycombinator.com/item?id=20703699](https://news.ycombinator.com/item?id=20703699)

------
manishsharan
Do we even need A/V for windows ? I think Microsoft Defender along with
"proper digital hygeine" obviates the need for dedicated A/V solutions.

~~~
buboard
The only annoying thing about it is that it periodically notifies me that "It
has not found any threats". I guess even computer programs feel lonely at
times.

~~~
MikusR
It can be turned off. But I kinda understand why they do that. Every other
antivirus constantly show various "licence is ending", "some component is
outdated" messages.

------
cies
Anti-virus here means anti-privacy. What shocks me most is that this is in the
paid versions as well.

I run Linux and have ClamAV installed for some compliance thingy, yet I have
never run it (the compliance thingy tells me to have AV installed, not to
actually run it). I can totally recommend some up-to-date Linux distro in case
you want to steer clear of "virusses (etc)".

~~~
ancarda
I used to run ClamAV for a few years, both on Linux and macOS. The only thing
it ever detected were Windows viruses in my spam mailbox. Every time I
received a spam email, ClamAV would complain and I'd have to go delete the
email that was already not in my inbox.

~~~
Jach
This is ironically one of the ways using _any_ AV can increase the attack
surface of a device, leading to its compromise. I don't know if ClamAV has
ever had an issue, but it seems lots of people here have forgotten the zoo of
not-that-long-ago Windows Defender exploits that could be triggered by it
scanning various files, like in a spam email the user never even looked at but
their client downloaded a copy of anyway. The issues are often made worse by
the AV processes that get owned already having root privileges.

------
GordonS
Some years ago I found Mcafee Enterprise doing something similar, where it
added a unique ID to the user agent string on Firefox. It didn't inject it
tlat runtime though, it actually modified your Firefox profile files to set
it.

I presume this wouldn't allow tracking in private browsing mode (I guess
Firefox doesn't use the standard user agent), but still not good.

------
winrid
Avast also tracks clickstream data and sells it to Jumpshot.

~~~
talboito
Jumpshot is Avast.

Just a subsidiary.

~~~
mirimir
Does that somehow make it OK?

~~~
stickfigure
Without knowing anything about the specifics here... yes, I can confidently
say that transmitting information between two companies with the same owner is
"ok" and should be expected.

~~~
kbenson
I think that's splitting hairs, and focusing on the wrong aspect of it. Avast
gives clickstream data to a digital marketing company. That company happens to
be a subsidiary, so Avast _is_ a digital marketing company. The problem
becomes one not of a company sharing your private information with another so
it can me monetized, but the initial company monetizing it itself. If you have
a problem with your data being used for marketing by your AV vendor, whether
it's shared to make it happen is likely of little consequence to you.

~~~
mirimir
Exactly.

And there are other risks to users. Once that data has been collected, others
may access it, and use it in far more damaging ways. Users in China or Saudi
Arabia, for example, may end up in jail, or worse.

------
ficklepickle
Can anyone tell me how kaspersky is injecting a script into an HTTPS site?

From the screenshot in the article, there doesn't appear to be a kaspersky
browser extension in use.

I guess it would have to be a MITM of some sort. Either by installing a cert
or by getting the TLS keys from the browser, I suppose?

~~~
verytrivial
This was my immediate thought. Where is rewrite happening? All the options
seems icky.

~~~
chmod775
I think AV vendors used to do browser addons to provide some functionality.
But since browser extensions in all popular browser are now effectively
neutered versions of their former selves, they are probably resorting to stuff
like this. It can be hard to even get a browser addon installed as a third
party program without resorting to hacks (thanks to browsers having taken
measures after the toolbar hell).

------
wdawson4
Why would they use a unique id unless they intending to track or deliver
unique JS payloads to each user?

Edit: Especially frightening given allegations of FSB ties that other users
pointed out
[https://en.wikipedia.org/wiki/Kaspersky_bans_and_allegations...](https://en.wikipedia.org/wiki/Kaspersky_bans_and_allegations_of_Russian_government_ties)

------
acollins1331
I thought the only people that used AV programs were old people that were
getting scammed?

------
throwamay1241
There's lots of 'Do we need Kaspersky' type questions in here already. The
more pertinent question is whether AV is actually effective, or if stronger
countermeasures like application whitelisting are needed?

[https://www.youtube.com/watch?v=gvcgHkeZ1i4&list=PLqz80p7f6d...](https://www.youtube.com/watch?v=gvcgHkeZ1i4&list=PLqz80p7f6dFuKBsESxMLjrI3ZWzTQoaPU)

~~~
josefx
You would need a document whitelist since many programs can be hijacked using
buffer overflow attacks or outright support execution of arbritrary scripts.

~~~
throwamay1241
I'll also point out that defending against buffer overflows which are
considered vulnerabilities is a far saner boundary than a blacklist of files
which grows infinitely.

------
throwaway_391
I don't fully understand why everyone gets upset over browser leaks when in
private mode - most websites interested in tracking private sessions will just
associate private and non-private sessions by IP address.

If you're paranoid enough to use a VPN for 'private' traffic, you should
probably be running such sessions in a VM using something like the tails live
CD.

~~~
mirimir
For sure.

But using Tails in VMs isn't recommended. Better is using Whonix, because it
isolates the Tor client and userland in separate VMs. It also has a LiveCD
mode. And for added security, you can run it in Qubes.

~~~
throwaway_391
Funny that you namedrop like three security products but fail to evaluate
which hypervisor should be used, which is probably the most important part of
a secure environment if unauthorized code execution fits in your threat model.

~~~
mirimir
Sorry. Whonix, by default for non-expert users, runs in VirtualBox. You can
also use KVM. And Qubes basically uses Xen.

My threat model is mainly about preventing potential adversaries from learning
my ISP-assigned IP address. I don't care all that much if a VM, or even a host
machine, gets pwned. My stuff is well enough compartmentalized that I'd at
most lose some work. But not my privacy.

------
SubiculumCode
[https://www.tomsguide.com/us/kaspersky-possible-
ban,news-270...](https://www.tomsguide.com/us/kaspersky-possible-
ban,news-27054.html)

A good time to remind people that thr U.S. government is not a fan of
kaspersky products.

------
sbhn
AV, always reminding you you’re under attack since 1986.

------
sbhn
If i click the above article link, then come back to this thread, will i find
a unique id used to track me planted somewhere amongst my cookies?

