Exclusive: Researchers say Kaspersky web portal exposed users to session hijacking, account takeovers

Security researchers say they discovered several vulnerabilities and security lapses in Kaspersky Lab's my.kaspersky.com web portal earlier this month, adding that the flaws exposed users to potential session hijackings and account takeovers.

According to a new report from the cybersecurity firm LMNTRIX – shared first with SC Media – the issues primarily were found in the processes for authentication, session management and validation, and password changes.

More specifically, the report notes that my.kaspersky.com suffered from a lack of protections against automated brute force and credential stuffing attacks (which can lead to an account takeover), allowed weak or default passwords (such as admin/admin), employed insecure credentials recovery processes (e.g. knowledge-based security questions), and had missing or ineffective multi-factor authentication.

Problems with the session IDs included exposed IDs in the URL, failure to rotate the IDs after a successful log-in, and a failure to invalidate a session ID after the portal visitor logs out or remains inactive for a long period of time.

In response to LMNTRIX's report, Kaspersky Lab issued the following statement: “Kaspersky Lab is aware of the LMNTRIX research regarding the My Kaspersky web portal. The security of our customers is our top priority, which is why we always take independent research very seriously. Kaspersky Lab's experts have thoroughly checked the scenario of broken authentication and session management, based on the description shared by the researcher, and haven't yet been able to reproduce it. We have reached out to the researcher for further clarifications.” The company also added that its My Kaspersky portal meets OWASP and CWE standards.

Oddly, the above statement appears to suggest that Kaspersky was unable to fully corroborate or reproduce the researchers' work, yet LMNTRIX stated in its report that Kaspersky fixed the issues. SC Media has reached out to both LMNTRIX and Kaspersky Lab for further clarification.