Thanks to Kaspersky Lab’s bug bounty programme, independent security researchers recently found several security vulnerabilities in the firm’s security products that allowed attackers to command the main app and access data such as product ID, product version, and operating system version.
In a blog post published earlier this week, Kaspersky Lab thanked an independent security researcher Wladimir Palant for uncovering multiple security vulnerabilities in the communication channel between a browser script and the body of the security solution.
Kaspersky Lab offers its customers the Kaspersky Protection browser extension that blocks ads and trackers and warns users about malicious search results. If users do not install this extension, the firm’s security software Kaspersky Internet Security 2019 injects scripts into web pages visited by users to monitor them for potential threats.
Researcher found vulnerabilities in scripts associated with Kaspersky Internet Security 2019
Palant discovered multiple security vulnerabilities in the communication channel between the said scripts and the main body of the security solution that allowed an attacker to command the main app. He reported these issues via Kaspersky Labs’ Bug Bounty Programme and these issues were subsequently fixed earlier this year.
“Another of Palant’s findings was a potential exploit using the communication channel between the browser extension and the product, for example to access important data such as a Kaspersky security solution’s product ID, product version, and operating system version. We fixed that as well,” the firm said.
The firm said that even though bugs were discovered in the scripts injected by its products into web pages, it will continue using such scripts as they not only help block banners, but also protect users against attacks with dynamic Web pages, which cannot otherwise be detected if the Kaspersky Protection extension is disabled. Features such as parental control and anti-phishing also rely on scripts to function.
Kaspersky Lab runs its bug bounty programme in association with HackerOne and offers security researchers and White Hat hackers up to $100,000 for reporting security vulnerabilities in its security products.
“We want to thank everyone who helps us find bugs in our products. It is partly due to their efforts our solutions continue to be the best, as proved by different independent test laboratories, and invite all security researchers to participate in our bug bounty programme.
“Nothing is absolutely secure. However, by working together with security researchers, fixing vulnerabilities as soon as possible, and constantly improving our technologies we can offer our users the strongest protection in existence against all possible threats,” the firm added.
A bug bounty programme costs much less than amounts lost to data breaches
In October, bug bounty and pentesting platform HackerOne said that four major data breach incidents that took place between 2015 and 2018 and inflicted losses of £265 million to the likes of British Airways, TalkTalk, Carphone Warehouse, and TicketMaster, could have been prevented had these organisations invested between £9,600 – £32,000 in bug bounty programmes to uncover hidden vulnerabilities in their systems.
“By running bug bounty programmes and asking hackers to find their weak spots, our customers have safely resolved over 120,000 vulnerabilities before a breach could occur,” said Prash Somaiya, security engineer at HackerOne.
“This research is a rough estimate on bounty prices, based on our existing programmes across the same industries, but it does highlight that companies can save millions and reduce risk by being proactive when it comes to identifying and patching their vulnerabilities,” he added.
A recent study conducted by HackerOne found that whenever bug bounty programmes are launched, hackers are able to uncover the first vulnerability within 24 hours in 77% of the cases. As many as one in four vulnerabilities uncovered by hackers participating in bug bounty programmes are also classified as being of high or critical severity.
Earlier this year, the firm also revealed that five hackers had earned $1 million each by hacking into networks owned by the likes of Airbnb, the US Department of Defence, Goldman Sachs and Spotify. In 2018, hackers earned a total of $21 million by reporting vulnerabilities under bug bounty programmes with hackers from the U.S., India, and Russia collecting 36% of the total value of awarded bounties.