Network Security, Patch/Configuration Management, Vulnerability Management

Exclusive: Researchers say Kaspersky web portal exposed users to session hijacking, account takeovers


Security researchers say they discovered several vulnerabilities and security lapses in Kaspersky Lab's web portal earlier this month, adding that the flaws exposed users to potential session hijackings and account takeovers.

According to a new report from the cybersecurity firm LMNTRIX – shared first with SC Media – the issues primarily were found in the processes for authentication, session management and validation, and password changes. The researchers say the problems were remedied following private notification, yet Kaspersky Lab is denying that most of the issues existed in the first place.

More specifically, the LMNTRIX report notes that suffered from a lack of protections against automated brute force and credential stuffing attacks (which can lead to an account takeover), allowed weak or default passwords (such as admin/admin), employed insecure credentials recovery processes (e.g. knowledge-based security questions), and had missing or ineffective multi-factor authentication.

Problems with the session IDs reportedly included exposed IDs in the URL, failure to rotate the IDs after a successful log-in, and a failure to invalidate a session ID after the portal visitor logs out or remains inactive for a long period of time.

In a statement provided to SC Media, Kaspersky disputes most of LMNTRIX's account, asserting that the reported vulnerabilities "were never confirmed" in the first place, and therefore no action was taken.

Kaspersky Lab is also accusing LMNTRIX of several "misperceptions," claiming that its web portal is protected against automated attacks by Google's reCAPTCHA system, that knowledge-based security questions have not been used for password recovery since April 2017, and that passwords actually require at least eight symbols, including uppercase, lowercase, and numeric characters.

The statement further notes that the session ID problems that LMNTRIX researchers claim to have found "cannot be reproduced, and the fact that this scenario has ever been realized cannot be proven without additional information (such as logs), which the researcher has failed to provide Kaspersky Lab with."

Kaspersky did concede that the portal lacks multifactor authentication, which the cybersecurity company says is being implemented in all regions this year. The company also added that its My Kaspersky portal meets OWASP and CWE standards.

LMNTRIX delayed publishing its findings until Mar. 1, after engaging in further dialogue with Kaspersky. In a small update to the draft provided to SC Media, LMNTRIX acknowledged that since Feb. 10 it has not been able to reproduce the results of its findings, but contend that it's because the issues were ultimately resolved. LMNTRIX researchers were unavailable for a phone interview.

"While some elements of this report are currently in dispute, LMNTRIX stands by its research methodology," the online report states. "Our researchers discovered and produced the issues outlined above on February 5, 2018, and immediately reported them. We have since been coordinating with the subject of the research to reproduce the results; however [we] have been unable to do so since February 10, 2018, and therefore believe the issues have been resolved."

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.