14 DAY TRIAL // Kaspersky Labs' website security comes under scrutiny again by vulnerability hunters, after a SQL injection vulnerability has been recently found. An ethical hacker has disclosed that three different pages from the German section of the Kaspersky website are vulnerable to cross-site scripting attacks.
A hacker going by the handle [-TE-]-Methodman has published evidence of the vulnerabilities on the website of a Direct Connect (p2p file sharing technology) network, called ']['€AM€LiT€ (Team Elite). The network seems to be composed of several separate hubs and the team managing it is developing various mods, templates, plugins and administration tools for Direct Connect applications.
The three affected pages are http://www.kaspersky.com/de/partner, http://www.kaspersky.com/de/hosted and http://www.kaspersky.com/de/anti-virus_linux. "This Bug can be exploited by malicious people to conduct phishing attacks," Methodman writes. In addition, "An attacker can steal cookie based authentication credentials," he warns.
By adding <script>alert(document.cookie)</script> to the vulnerable URL, the user's authentication cookie is revealed, while by inserting different JavaScript code between the script tags, other types of attacks can be launched. The proof-of-concept attack has been published by Methodman on Sunday, 22 February, 2009, however, the vulnerabilities were still active at the time this article was being written.
During the past two weeks, the Romanian HackersBlog team disclosed SQL injection vulnerabilities that affected the websites of multiple antivirus vendors, including Kaspersky, Bitdefender, F-Secure and Symantec. This seems to have inspired other ethical hackers to probe such websites for even more bugs, which stands to show that virtually anyone can be affected by security issues, even the people selling security solutions.
Clearly, this XSS flaw is less serious than the previously-disclosed SQL injection one, which had the potential to compromise a database containing around 2,500 customer e-mail addresses and 25,000 software activation keys. Even so, Kaspersky Labs is both a veteran and a pioneer on the antivirus market, and the prospect of its pages being used to launch phishing campaigns or other attacks against users is frightening to say the least and could damage its public image a lot.
Note: We have contacted the security vendor and requested some explanations regarding this incident. Please keep an eye on this page for future updates in case it responds.
Update: Kaspersky Labs has confirmed the existence of the vulnerability and claims to have reacted promptly to address it. "On 23 February, 2009, a security weakness was discovered on one of the subsections of Kaspersky Lab’s global website, http://www.kaspersky.com. The weakness, known as XSS or Cross Site Scripting, was closed within minutes of being detected," a company representative wrote in an e-mail to Softpedia.
Furthermore, the spokesperson noted that while it posed some risk to the site's visitors, the impact of the vulnerability was minimal. "It did not result in any serious data leakage and could only have targeted users that visited a specially designed webpage on attacker's webserver. Kaspersky Lab’s security experts rate XSS weaknesses as low risk because a large number of conditions have to be met before it can affect users," he explained.
The investigation launched by the company concluded that "there have been no evidence that a malicious webpage targeting users was actually created by the attackers. Users navigating directly to www.kaspersky.com were – and remain – safe." Update: The article was modified in order to reflect an error where the "DC++" name was improperly used instead of "Direct Connect." Direct Connect is the p2p file sharing protocol, while DC++ is a client for it. Team Elite is in no way affiliated with the DC++ project or its developers.
