"My inquiries revealed that the leak was introduced with Kaspersky's '2016' editions, released in the Autumn of 2015. And the UUID wasn't hidden. If I was able to find it by happenstance, various people, from eager marketers to malicious attackers may have been exploiting it for almost four years," he stated in an article titled "Kasper-Spy: Kaspersky Anti-Virus puts users at risk" in the magazine published Thursday.
The fact that this script was injected, means that many users might have been tracked and hackers might have misused the data collected. Even if users enabled incognito mode, they can still be tracked.
Kaspersky has also issued an official statement on the matter, "After our internal research, we have concluded that such scenarios of user's privacy compromise are theoretically possible but are unlikely to be carried out in practice, due to their complexity and low profitability for cybercriminals. Nevertheless, we are constantly working on improving our technologies and products, resulting in a change in this process. We'd like to thank Ronald Eikenberg for reporting this to us."
In case you own this version of the Kaspersky Antivirus, you should check the settings of the software. Go into the settings, then navigate to Additional/Network, going to Traffic Processing and unchecking "Inject script into web traffic to interact with web pages."
Kaspersky has already been notified of the problem and the company has confirmed that the problem exists on all versions of the antivirus. The company stated that it has fixed the problem in a June update and it has also "alerted users about the flaw."
Kaspersky, along with other firms such as Huawei, is already under the scanner of the U.S. government. Kaspersky has its headquarters in Moscow, Russia and security agencies have repeatedly accused the company of being complicit in espionage. While nothing has been expressly proved against the company, such findings are definitely going to impact its image.