Tuesday, July 14, 21:10
Home security Kaspersky's API is open to abuse by websites

Kaspersky's API is open to abuse by websites

Kaspersky software vulnerabilities have left an internal API open to abuse by webmasters, and patching efforts have so far failed.

On Monday, software developer Wladimir Palant documents the myth, which began after he began investigating Kaspersky Web Protection features included in software such as Kaspersky Internet Security 2019. Online protection functionality includes scans of search results to eliminate potentially malicious links, and preventive monitoring.

In December last year, the developer found a set vulnerabilities and security issues in Web protection mode, which can be activated by any website.


Web Protection must be able to communicate with the main Kaspersky application and the value of a secret value, which in theory is not known to web domains and has the ability to ensure safety Communication. However, a security flaw allowed sites to extract this key "quite easily", according to Palant, and "allow them to establish a connection to the Kaspersky application and send commands exactly as Web Protection would do".

Chrome and Firefox extensions use native messages to retrieve the signature, while Internet Explorer reads script injections. Without extending the browser, Kaspersky will insert its scripts directly into the website, and here's the first CVE-2019-15685 vulnerability through abuse of URL Advisor and frames, in order to extract the signature.

“Websites could use this vulnerability, for example, to silently disable protection functionality adblocking and tracking ”, says the developer. "They could also do a lot of things where the impact was not so obvious."

After the bug was reported, Kaspersky developed a solution in July for 2019, blocking access to certain features on 2020 products' websites. However, other commands could be accepted, such as whitelisting websites in adblockers (CVE-2019-15686). A new issue has also arisen because of the failure patch: websites had access to data of the user system, including unique identifiers of the Kaspersky computer installation (CVE-2019-15687).

This unexpected introduction data it wasn't the end of the story. Palant says the patch also introduced a new vulnerability that could be used to cause a crash in the process antivirus, leaving systems vulnerable to intrusions, such as CVE-2019-15686.

The cybersecurity firm then attempted to fix the situation by resolving data leakage and "mainly" fixing the crash problem. sites could no longer cause a "crash", but extensions browser or local apps probably could.

A new patch has been developed and will be released on 28 November, but with a "script injection" backup approach instead of relying purely on extensions browser, with the developer not having much hope that the problem will be resolved.


Please enter your comment!
Please enter your name here

Teo Ehc
Teo Ehchttps://www.secnews.gr
Be the limited edition.


Spotify: Finally reshaping its podcast charts

Spotify is reshaping its podcast charts to help listeners find new shows and watch local news ...

Find out if you have been hacked and what to do about it

Hacking attacks are a daily occurrence with many victims worldwide. Everyone is vulnerable to cyber hackers, but the threats do not ...

ISIS accounts continue Facebook propaganda

According to a new research, some accounts connected to the terrorist group ISIS, still exist on Facebook, without becoming ...

US and UK: Dealing with major cyber attacks

The United States, the United Kingdom, India and Germany have experienced many "significant" cyber attacks over the past 14 years, ...

Google Meet: New security settings for training meetings

New security features are coming into the Google Meet video chat app for education subscribers' teleconferencing.

Technology companies against the deportation of foreign students from the USA!

Technology giants such as Google, Microsoft and Facebook, as well as many other technology companies, have joined the US Chamber of Commerce, ...

Microsoft announces new features in ATP for Azure Storage!

Microsoft announced today that Advanced Threat Protection (ATP) for Azure Storage now enables customers to protect ...

The UK is on the alert for cyber attacks from China

The United Kingdom must be vigilant about possible cyber attacks by countries such as China, government ministers have said.

Linux 5.8-rc5: Will be released with terminology changes

On July 4, Dan Williams proposed changing the special terms of Linux, with new names ...

Belgium: Jackpotting attack on Argenta bank ATM

Argenta Bank, based in Antwerp, Belgium, has been the victim of a jackpotting attack. Is...