Kaspersky online protection API left open to abuse by websites

Updated: The internal API has been subject to not one, but multiple failed fix attempts.

Twitter clamps down on developer access to APIs The company has rolled out more updates to its developer platform as it works to clamp down on usage of the Twitter API. Read more: https://zd.net/2JSfFMN

Vulnerabilities in Kaspersky software have left an internal API open to abuse by webmasters and attempts to patch have, so far, failed. 

On Monday, software developer Wladimir Palant documented the saga, which began after he began investigating Kaspersky Web Protection features included in software such as Kaspersky Internet Security 2019. The online protection functionality includes scans of search results to weed out potentially malicious links, ad blocking, and tracking prevention. 

In December last year, the developer found a set of vulnerabilities and security issues in the Web Protection feature, which can be enabled by any website.

Web Protection needs to be able to communicate with the main Kaspersky application and a "secret" signature value, which in theory is not known to web domains, is enabled to ensure secure communication. However, a security flaw permitted websites to elicit this key "fairly easily," according to Palant, and "allow them to establish a connection to the Kaspersky application and send commands just like Web Protection would do."

Chrome and Firefox extensions use native messaging to retrieve the signature, whereas Internet Explorer reads script injections. Without a browser extension, Kaspersky will inject its scripts directly into web pages, and this is where the first vulnerability of note, CVE-2019-15685, appeared through the abuse of URL Advisor and frames in order to extract the signature.

"Websites could use this vulnerability, for example, to silently disable adblocking and tracking protection functionality," the developer says. "They could also do quite a few things where the impact wasn't quite as obvious."

See also: DePriMon downloader uses novel ways to infect your PC with ColoredLambert malware

After the flaw was reported, Kaspersky developed a fix in July 2019 by blocking access to some functionality to websites in 2020 products. However, other commands could still be accepted, such as whitelisting websites on adblockers (CVE-2019-15686). A new issue also emerged due to the failed patch; websites were able to access user system data, including unique identifiers of the Kaspersky installation on a PC (CVE-2019-15687). 

"When I tried the new Kaspersky Internet Security 2020, extracting the secret from injected scripts was still trivial and the main challenge was adapting my proof-of-concept code to changes in the API calling convention," Palant says. "Frankly, I cannot blame Kaspersky developers for not even trying -- I think that defending their scripts in an environment that they cannot control is a lost cause."

This inadvertently-introduced data leak was not the end of the story. Palant says that the patch also introduced a new vulnerability that could be used to trigger a crash in the antivirus process, leaving systems vulnerable to compromise, tracked as CVE-2019-15686.
 
The cybersecurity firm then attempted another fix, resolving the data leak and "mostly" fixing the crash issue; websites no longer could trigger a crash, but browser extensions or local applications possibly could. 

TechRepublic: Business Email Compromise: 5 ways this fraud could happen and what can be done to prevent it

A new patch has been developed and will be made available on November 28, but given a fallback script injection approach rather than relying purely on browser extensions, the developer isn't hopeful when it comes to the true resolution of the problem. 

"Maybe Kaspersky is so attached to scripts injected directly into web pages because these are considered a distinguishing feature of their product, it being able to do its job even if users decline to install extensions," the developer says. "But that feature also happens to be a security hazard and doesn't appear to be reparable."

"One thing won't change, however: websites can still send commands to Kaspersky applications. Is all the functionality they can trigger there harmless? I wouldn't bet on it."

CNET: Member of group behind Jack Dorsey's Twitter account hack reportedly arrested

Update 14.14 GMT: A Kaspersky spokesperson told ZDNet:

"Kaspersky has fixed security issues in the web protection component in its products and product extensions for Google Chrome. These security issues were fixed by patches 2019 I, J and 2020 E, F, which were delivered to users through the automatic update procedures. 

A reboot may be required to apply these updates. 

The company also recommends that users make sure that Kaspersky protection extensions for web browsers are installed and enabled. Detailed information about the fixed issues is available on the Kaspersky website."

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0