AVG Forcibly Installs Vulnerable Chrome Extension That Exposes Users' Browsing History

[Batu69]

AVG installs poorly-written Chrome extension

 

AVG fixes vulnerable Chrome extension

 

The AVG Web TuneUp Chrome extension, forcibly added to Google Chrome browsers when users were installing the AVG antivirus, had a serious flaw that allowed attackers to get the user's browsing history, cookies, and more.

The vulnerability was discovered by Google Project Zero researcher, Tavis Ormandy, who worked with AVG for the past two weeks to fix the issue.

AVG Web TuneUp vulnerable to an universal XSS

As Mr. Ormandy explains in his bug report, the AVG Web TuneUp extension, which lists over nine million users on its Chrome Web Store page, was vulnerable to trivial XSS (cross-site scripting) attacks.

Attackers aware of this problem would have been able to access a user's cookies, browsing history, and various other details exposed via Chrome.

"This extension adds numerous JavaScript APIs to Chrome, apparently so that they can hijack search settings and the new tab page," explains Mr. Ormandy. "The installation process is quite complicated so that they [AVG] can bypass the Chrome [Store] malware checks, which specifically tries to stop abuse of the [Chrome] Extension API."

A half-baked Chrome extension

During his research, Mr. Ormandy discovered that many of the custom JavaScript APIs added to Chrome by this extension are responsible for the security issue, being broken or poorly written, allowing attackers access to personal details.

AVG's developers ignored or failed to protect their users against simple cross-domain requests, allowing code hosted on one domain to be executed in the context of another URL.

Theoretically, this would give attackers access to data stored on other websites, such as Gmail, Yahoo, banking websites, and more of the such. All that attackers had to do was to convince a user to access a malicious URL.

The extension rendered HTTPS connections useless

Websites hosted on HTTPS were also susceptible, Mr. Ormandy stating that users of this extension "have SSL disabled."

Version  4.2.5.169 of AVG Web TuneUp fixed this issue. In the meantime, Google blocked the ability for AVG to carry out inline installations of this extension. This means that users that want to install the extension, have to go to the Chrome Web Store and trigger the download with a click.

Additionally, the Chrome Web Store team is also  investigating AVG for possible Web Store policy violations.

Article source

[straycat19]

AVG is crapware.  They bought TuneUp Utilities after it was found to not do what it was supposed to and all the purchasers received their money back several years ago.  Now they are hawking the same crap and 'adding' more crap to it.  If you run anything from AVG you ought to wear a sign that reads "I'm stupid, ignorant and a total idiot. If brains were dynamite, I wouldn't have enough to blow my nose."

[RejZoR]

AVG is stupid, bloatedly buggy program. It may score well in recent tests but god it's designed by absolute morons. That stupid interface and fucntions and false positives, oh my god, I always try their new version and always absolutely hate it afterwards.

[pc71520]

I've never liked AVG.