Kaspersky's API is open to abuse by websites

Kaspersky software vulnerabilities have left an internal API open to abuse by webmasters, and patching efforts have so far failed.

On Monday, software developer Wladimir Palant documents the myth, which began after he began investigating Kaspersky Web Protection features included in software such as Kaspersky Internet Security 2019. Online protection functionality includes scans of search results to eliminate potentially malicious links, and preventive monitoring.

In December last year, the developer found a set vulnerabilities and security issues in Web protection mode, which can be activated by any website.

Web Protection must be able to communicate with the main Kaspersky application and the value of a secret value, which in theory is not known to web domains and has the ability to ensure safety Communication. However, a security flaw allowed sites to extract this key "quite easily", according to Palant, and "allow them to establish a connection to the Kaspersky application and send commands exactly as Web Protection would do".

Chrome and Firefox extensions use native messages to retrieve the signature, while Internet Explorer reads script injections. Without extending the browser, Kaspersky will insert its scripts directly into the website, and here's the first CVE-2019-15685 vulnerability through abuse of URL Advisor and frames, in order to extract the signature.

“Websites could use this vulnerability, for example, to silently disable protection functionality adblocking and tracking ”, says the developer. "They could also do a lot of things where the impact was not so obvious."

After the bug was reported, Kaspersky developed a solution in July for 2019, blocking access to certain features on 2020 products' websites. However, other commands could be accepted, such as whitelisting websites in adblockers (CVE-2019-15686). A new issue has also arisen because of the failure patch: websites had access to data of the user system, including unique identifiers of the Kaspersky computer installation (CVE-2019-15687).

This unexpected introduction data it wasn't the end of the story. Palant says the patch also introduced a new vulnerability that could be used to cause a crash in the process antivirus, leaving systems vulnerable to intrusions, such as CVE-2019-15686.

The cybersecurity firm then attempted to fix the situation by resolving data leakage and "mainly" fixing the crash problem. sites could no longer cause a "crash", but extensions browser or local apps probably could.

A new patch has been developed and will be released on 28 November, but with a "script injection" backup approach instead of relying purely on extensions browser, with the developer not having much hope that the problem will be resolved.