Security researchers say they discovered several vulnerabilities and security lapses in Kaspersky Lab's my.kaspersky.com web portal earlier this month, adding that the flaws exposed users to potential session hijackings and account takeovers.
According to a new report from the cybersecurity firm LMNTRIX – shared first with SC Media – the issues primarily were found in the processes for authentication, session management and validation, and password changes. The researchers say the problems were remedied following private notification, yet Kaspersky Lab is denying that most of the issues existed in the first place.
More specifically, the LMNTRIX report notes that my.kaspersky.com suffered from a lack of protections against automated brute force and credential stuffing attacks (which can lead to an account takeover), allowed weak or default passwords (such as admin/admin), employed insecure credentials recovery processes (e.g. knowledge-based security questions), and had missing or ineffective multi-factor authentication.
Problems with the session IDs reportedly included exposed IDs in the URL, failure to rotate the IDs after a successful log-in, and a failure to invalidate a session ID after the portal visitor logs out or remains inactive for a long period of time.
In a statement provided to SC Media, Kaspersky disputes most of LMNTRIX's account, asserting that the reported vulnerabilities "were never confirmed" in the first place, and therefore no action was taken.
Kaspersky Lab is also accusing LMNTRIX of several "misperceptions," claiming that its web portal is protected against automated attacks by Google's reCAPTCHA system, that knowledge-based security questions have not been used for password recovery since April 2017, and that passwords actually require at least eight symbols, including uppercase, lowercase, and numeric characters.
The statement further notes that the session ID problems that LMNTRIX researchers claim to have found "cannot be reproduced, and the fact that this scenario has ever been realized cannot be proven without additional information (such as logs), which the researcher has failed to provide Kaspersky Lab with."
Kaspersky did acknowledge an absence of multifactor authentication, which the cybersecurity company says is being implemented in all regions this year. The company also added that its My Kaspersky portal meets OWASP and CWE standards.
In an attempt to follow up on the written report, SC Media requested a phone interview with LMNTRIX researchers via a media representative, but was told the researchers were unavailable for a phone interview due to time zone and language differences.