C't today reported that Kaspersky injected a Universally Unique Identifier (UUID) into the HTML source of all web pages without user consent. Previous versions of the antivirus software generated a UUID for each user; a July 11 patch changed it to a not-so-unique identifier but didn't stop the injection.
UUIDs are nearly ubiquitous. Companies use them to identify users, devices, and other entities that need to be tracked. But if these identifiers aren't properly managed, they could be used for nefarious purposes. Bluetooth stopped advertising unique identifiers, for example, because hackers were using them to stalk people. Other companies have taken similar precautions with the tools they use, whether they're UUIDs or something else, as identifiers.
Kaspersky essentially did the opposite. C't said it discovered in June that the antivirus software was injecting a string containing a UUID into every web page they visited. It's not clear why these UUIDs were injected--although one feature that marked certain Google search results as "safe" might be the culprit--or how they were supposed to be used. The company simply generated and injected these UUIDs into web pages without user consent.
C't said it built a simple website capable of collecting these UUIDs before reporting the issue to Kaspersky. Then it told the company about the issue, engaged in a bit of back-and-forth regarding the severity of the problem, and watched as Kaspersky released the patch in July. But further testing showed that Kaspersky hadn't stopped injecting this string into its users' browsing activity; it merely ditched the UUID for a static identifier.
That change does reduce the privacy impact of Kaspersky's code injection. It doesn't completely remove the risk to its customers, though, because knowing that someone uses Kaspersky could still be a valuable piece of information. Anyone relying on previous versions of the antivirus--which likely contain vulnerabilities patched in more recent versions--could be targeted because the tool that was supposed to protect them revealed a weakness.
We said earlier this week that improvements to Windows Defender made it hard to recommend third-party antivirus solutions for Windows 10. Knowing that Kaspersky gave website operators an easy way to track its users without their knowledge or consent makes that recommendation even harder to make. People bought a tool so they could defend their systems, but instead, they got one that intentionally broadcast a unique identifier to the world.