AVG's Web TuneUp Chrome add-on poses security risk

The vulnerability overrides security features in the Chrome browser built to stop personal data being distributed

Locks on a screen with one open and in red

Google has uncovered a vulnerability in AVG's Web TuneUP software, which was specifically built to safeguard users against hidden threats.

The flaw was uncovered by the search engine's Tavis Ormandy, who works on Google's security team. He explained that the software force installs a plugin in the Chrome browser without asking for the user's permission.

In doing so, the software could expose the user's personal details and internet history to criminals trawling the web for such details. The code could also let hackers spy on victims' emails and other online activities, he said.

"This extension adds numerous JavaScript API's to chrome, apparently so that they can hijack search settings and the new tab page," Ormandy wrote in the bug report.

"The installation process is quite complicated so that they can bypass the chrome malware checks, which specifically tries to stop abuse of the extension API.

He added: "Anyway, many of the API's are broken, the attached exploit steals cookies from avg.com. It also exposes browsing history and other personal data to the internet, I wouldn't be surprised if it's possible to turn this into arbitrary code execution."

After discovering the problem, Ormandy wrote a letter to AVG, highlighting the issue and advising the company to fix the problem immediately.

"My concern is that your security software is disabling web security for nine million Chrome users, apparently so that you can hijack search settings and the new tab page," he wrote.

"There are multiple obvious attacks possible, for example, here is a trivial universal xss in the 'navigate' API that can allow any website to execute script in the context of any other domain. For example, attacker.com can read email from mail.google.com, or corp.avg.com, or whatever else. I hope the severity of this issue is clear to you, fixing it should be your highest priority."

AVG responded to the concerns, thanking Google for discovering the flaw and then claiming it had fixed the issue, although Google then responded, saying it hadn't prevented the addition from auto-installing as a Chrome extension.

Featured Resources

Defeating ransomware with unified security from WatchGuard

How SMBs can defend against the onslaught of ransomware attacks

Free download

The IT expert’s guide to AI and content management

How artificial intelligence and machine learning could be critical to your business

Free download

The path to CX excellence

Four stages to thrive in the experience economy

Free download

Becoming an experience-based business

Your blueprint for a strong digital foundation

Free download

Recommended

Google’s Grace Hopper subsea cable lands in Cornwall
Infrastructure

Google’s Grace Hopper subsea cable lands in Cornwall

15 Sep 2021
South Korea fines Google for abusing Android dominance
Policy & legislation

South Korea fines Google for abusing Android dominance

14 Sep 2021
Google handed user data to Hong Kong authorities despite pledge
privacy

Google handed user data to Hong Kong authorities despite pledge

13 Sep 2021
Google and Microsoft's hybrid work battle shows the narrative is just as important as the technology
collaboration

Google and Microsoft's hybrid work battle shows the narrative is just as important as the technology

9 Sep 2021

Most Popular

What are the pros and cons of AI?
machine learning

What are the pros and cons of AI?

8 Sep 2021
Citrix mulling potential sale after tumultuous 2021
mergers and acquisitions

Citrix mulling potential sale after tumultuous 2021

15 Sep 2021
Zoom: From pandemic upstart to hybrid work giant
video conferencing

Zoom: From pandemic upstart to hybrid work giant

14 Sep 2021