Tuesday, April 13, 2021
  • Setup menu at Appearance » Menus and assign menu to Top Bar Navigation
Advertisement
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News
No Result
View All Result
NikolaNews
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News
No Result
View All Result
NikolaNews
No Result
View All Result
Home Internet Security

Kaspersky online protection API left open to abuse by websites

November 29, 2019
in Internet Security
Kaspersky online protection API left open to abuse by websites
587
SHARES
3.3k
VIEWS
Share on FacebookShare on Twitter

Twitter clamps down on developer access to APIs
The company has rolled out more updates to its developer platform as it works to clamp down on usage of the Twitter API. Read more: https://zd.net/2JSfFMN

Vulnerabilities in Kaspersky software have left an internal API open to abuse by webmasters and attempts to patch have, so far, failed. 

You might also like

Who do I pay to get the ‘phone’ removed from my iPhone?

Criminals spread malware using website contact forms with Google URLs

Critical security alert: If you haven’t patched this old VPN vulnerability, assume your network is compromised

On Monday, software developer Wladimir Palant documented the saga, which began after he began investigating Kaspersky Web Protection features included in software such as Kaspersky Internet Security 2019. The online protection functionality includes scans of search results to weed out potentially malicious links, ad blocking, and tracking prevention. 

In December last year, the developer found a set of vulnerabilities and security issues in the Web Protection feature, which can be enabled by any website.

Web Protection needs to be able to communicate with the main Kaspersky application and a “secret” signature value, which in theory is not known to web domains, is enabled to ensure secure communication. However, a security flaw permitted websites to elicit this key “fairly easily,” according to Palant, and “allow them to establish a connection to the Kaspersky application and send commands just like Web Protection would do.”

Chrome and Firefox extensions use native messaging to retrieve the signature, whereas Internet Explorer reads script injections. Without a browser extension, Kaspersky will inject its scripts directly into web pages, and this is where the first vulnerability of note, CVE-2019-15685, appeared through the abuse of URL Advisor and frames in order to extract the signature.

“Websites could use this vulnerability, for example, to silently disable adblocking and tracking protection functionality,” the developer says. “They could also do quite a few things where the impact wasn’t quite as obvious.”

See also: DePriMon downloader uses novel ways to infect your PC with ColoredLambert malware

After the flaw was reported, Kaspersky developed a fix in July 2019 by blocking access to some functionality to websites in 2020 products. However, other commands could still be accepted, such as whitelisting websites on adblockers (CVE-2019-15686). A new issue also emerged due to the failed patch; websites were able to access user system data, including unique identifiers of the Kaspersky installation on a PC (CVE-2019-15687). 

“When I tried the new Kaspersky Internet Security 2020, extracting the secret from injected scripts was still trivial and the main challenge was adapting my proof-of-concept code to changes in the API calling convention,” Palant says. “Frankly, I cannot blame Kaspersky developers for not even trying — I think that defending their scripts in an environment that they cannot control is a lost cause.”

This inadvertently-introduced data leak was not the end of the story. Palant says that the patch also introduced a new vulnerability that could be used to trigger a crash in the antivirus process, leaving systems vulnerable to compromise, tracked as CVE-2019-15686.
 
The cybersecurity firm then attempted another fix, resolving the data leak and “mostly” fixing the crash issue; websites no longer could trigger a crash, but browser extensions or local applications possibly could. 

TechRepublic: Business Email Compromise: 5 ways this fraud could happen and what can be done to prevent it

A new patch has been developed and will be made available on November 28, but given a fallback script injection approach rather than relying purely on browser extensions, the developer isn’t hopeful when it comes to the true resolution of the problem. 

“Maybe Kaspersky is so attached to scripts injected directly into web pages because these are considered a distinguishing feature of their product, it being able to do its job even if users decline to install extensions,” the developer says. “But that feature also happens to be a security hazard and doesn’t appear to be reparable.”

“One thing won’t change, however: websites can still send commands to Kaspersky applications. Is all the functionality they can trigger there harmless? I wouldn’t bet on it.”

CNET: Member of group behind Jack Dorsey’s Twitter account hack reportedly arrested

Update 14.14 GMT: A Kaspersky spokesperson told ZDNet:

“Kaspersky has fixed security issues in the web protection component in its products and product extensions for Google Chrome. These security issues were fixed by patches 2019 I, J and 2020 E, F, which were delivered to users through the automatic update procedures. 

A reboot may be required to apply these updates. 

The company also recommends that users make sure that Kaspersky protection extensions for web browsers are installed and enabled. Detailed information about the fixed issues is available on the Kaspersky website.”

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0


Credit: Zdnet

Previous Post

Michael Bloomberg Steals Top Harris Staffer as Campaign Gears Up

Next Post

Seattle Seahawks Choose AWS For Cloud, AI and Machine Learning Needs

Related Posts

Apple looking to close the gap between web and app privacy
Internet Security

Who do I pay to get the ‘phone’ removed from my iPhone?

April 13, 2021
Criminals spread malware using website contact forms with Google URLs
Internet Security

Criminals spread malware using website contact forms with Google URLs

April 13, 2021
Bug bounties: More hackers are spotting vulnerabilities across web, mobile and IoT
Internet Security

Critical security alert: If you haven’t patched this old VPN vulnerability, assume your network is compromised

April 13, 2021
Billions of smartphone owners will soon be authorising payments using facial recognition
Internet Security

Billions of smartphone owners will soon be authorising payments using facial recognition

April 13, 2021
PayPal rolls out new fraud management tools for merchants
Internet Security

PayPal rolls out new fraud management tools for merchants

April 12, 2021
Next Post
Seattle Seahawks Choose AWS For Cloud, AI and Machine Learning Needs

Seattle Seahawks Choose AWS For Cloud, AI and Machine Learning Needs

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Recommended

Plasticity in Deep Learning: Dynamic Adaptations for AI Self-Driving Cars

Plasticity in Deep Learning: Dynamic Adaptations for AI Self-Driving Cars

January 6, 2019
Microsoft, Google Use Artificial Intelligence to Fight Hackers

Microsoft, Google Use Artificial Intelligence to Fight Hackers

January 6, 2019

Categories

  • Artificial Intelligence
  • Big Data
  • Blockchain
  • Crypto News
  • Data Science
  • Digital Marketing
  • Internet Privacy
  • Internet Security
  • Learn to Code
  • Machine Learning
  • Marketing Technology
  • Neural Networks
  • Technology Companies

Don't miss it

Apple looking to close the gap between web and app privacy
Internet Security

Who do I pay to get the ‘phone’ removed from my iPhone?

April 13, 2021
Robust Artificial Intelligence of Document Attestation to Ensure Identity Theft
Data Science

Robust Artificial Intelligence of Document Attestation to Ensure Identity Theft

April 13, 2021
Data Science And Machine Learning Service Market Growth Due to COVID-19 Spread | ZS, LatentView Analytics, Mango Solutions, Microsoft, International Business Machine – KSU
Machine Learning

Data Science And Machine Learning Service Market Growth Due to COVID-19 Spread | ZS, LatentView Analytics, Mango Solutions, Microsoft, International Business Machine – KSU

April 13, 2021
How to Change the WordPress Admin Login Logo
Learn to Code

Intl.NumberFormat

April 13, 2021
Criminals spread malware using website contact forms with Google URLs
Internet Security

Criminals spread malware using website contact forms with Google URLs

April 13, 2021
Trends in custom software development in 2021
Data Science

Trends in custom software development in 2021

April 13, 2021
NikolaNews

NikolaNews.com is an online News Portal which aims to share news about blockchain, AI, Big Data, and Data Privacy and more!

What’s New Here?

  • Who do I pay to get the ‘phone’ removed from my iPhone? April 13, 2021
  • Robust Artificial Intelligence of Document Attestation to Ensure Identity Theft April 13, 2021
  • Data Science And Machine Learning Service Market Growth Due to COVID-19 Spread | ZS, LatentView Analytics, Mango Solutions, Microsoft, International Business Machine – KSU April 13, 2021
  • Intl.NumberFormat April 13, 2021

Subscribe to get more!

© 2019 NikolaNews.com - Global Tech Updates

No Result
View All Result
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News

© 2019 NikolaNews.com - Global Tech Updates