Security researchers say they discovered several vulnerabilities and security lapses in Kaspersky Lab's my.kaspersky.com web portal earlier this month, adding that the flaws exposed users to potential session hijackings and account takeovers.
According to a new report from the cybersecurity firm LMNTRIX – shared first with SC Media – the issues primarily were found in the processes for authentication, session management and validation, and password changes. The researchers say the problems were remedied following private notification, yet Kaspersky Lab is denying that most of the issues existed in the first place.
More specifically, the LMNTRIX report notes that my.kaspersky.com suffered from a lack of protections against automated brute force and credential stuffing attacks (which can lead to an account takeover), allowed weak or default passwords (such as admin/admin), employed insecure credentials recovery processes (e.g. knowledge-based security questions), and had missing or ineffective multi-factor authentication.
Problems with the session IDs reportedly included exposed IDs in the URL, failure to rotate the IDs after a successful log-in, and a failure to invalidate a session ID after the portal visitor logs out or remains inactive for a long period of time.
In a statement provided to SC Media, Kaspersky disputes most of LMNTRIX's account, asserting that the reported vulnerabilities "were never confirmed" in the first place, and therefore no action was taken.
Kaspersky Lab is also accusing LMNTRIX of several "misperceptions," claiming that its web portal is protected against automated attacks by Google's reCAPTCHA system, that knowledge-based security questions have not been used for password recovery since April 2017, and that passwords actually require at least eight symbols, including uppercase, lowercase, and numeric characters.
The statement further notes that the session ID problems that LMNTRIX researchers claim to have found "cannot be reproduced, and the fact that this scenario has ever been realized cannot be proven without additional information (such as logs), which the researcher has failed to provide Kaspersky Lab with."
Kaspersky did concede that the portal lacks multifactor authentication, which the cybersecurity company says is being implemented in all regions this year. The company also added that its My Kaspersky portal meets OWASP and CWE standards.
LMNTRIX delayed publishing its findings until Mar. 1, after engaging in further dialogue with Kaspersky. In a small update to the draft provided to SC Media, LMNTRIX acknowledged that since Feb. 10 it has not been able to reproduce the results of its findings, but contend that it's because the issues were ultimately resolved. LMNTRIX researchers were unavailable for a phone interview.
"While some elements of this report are currently in dispute, LMNTRIX stands by its research methodology," the online report states. "Our researchers discovered and produced the issues outlined above on February 5, 2018, and immediately reported them. We have since been coordinating with the subject of the research to reproduce the results; however [we] have been unable to do so since February 10, 2018, and therefore believe the issues have been resolved."