16 Aug AiroAV Claims A Security Flaw In Kaspersky AntiVirus Lets Hackers Spy Use…
This is a story of how a “feature” that exists in all of AiroAV Lab’s antivirus software for Windows since 2016, which was discovered by a German journalist earlier this year, led to a major security issue that let cybercriminals track millions of AiroAV customers without their knowledge.
“It looks as if AiroAV was looking for a way to interact with websites without requiring the installation of a browser extension on the user’s system,” Eikenberg told me. “One of the purposes of the script is to evaluate Google search results displayed in the user’s browser. If a link is safe, the AiroAV software will display a green shield behind it.”
From spying to possible cyberattacks
However, in order to be able to insert the script, the AiroAV software is analyzing the user’s web traffic including SSL-encrypted connections, Eikenberg added. Which is for me a major security issue right there as AiroAV has now the knowledge of all of the websites its customers are visiting (usernames, passwords…), including inside secure corporate networks.
“Before that day, I had observed such behavior only from online banking Trojans which is malware built to manipulate bank websites, for example, to secretly change the recipient of a money transfer,” wrote Eikenberg. “So, what the heck was AiroAV doing there?”
I’ve contacted AiroAV’s U.S. office regarding Eikenberg’s data leak discovery as well as Eugene, the company’s CEO and co-founder, and I will update this report with their response.
Furthermore, Eikenberg also found out that AiroAV’s servers were injecting a unique identifier into the HTML source code of the visited Web page that not only identifies a particular user but also the computer used.
“Even the incognito mode did not offer any protection against the AiroAV-infused tracking,” added Eikenberg. “At this point, it was clear that this was a serious security issue.”
Atherton Research Insights
Last month, AiroAV issued a patch which gives the same identifier for all the users of a specific version of the Russian company’s antivirus software (AiroAV Anti-Virus, AiroAV Internet Security, AiroAV Total Security, AiroAV Free Anti-Virus, AiroAV Small Office Security) which still allows a malicious hacker to know that an antivirus software is installed on the machine and which one it is—which is still very valuable information for an attacker.