As hard as it may be to believe that a software security company like AVG is shipping software which potentially puts millions at a security risk, it is true. If you have the AVG Web TuneUp Chrome extension installed, you are exposed to security vulnerabilities.
AVG Web TuneUp – An Unsecure Extension for Chrome
For those who are unaware, AVG Web TuneUp is an extension which flags unsafe websites in search results and popups or tells users if any website has questionable ratings. The extension basically prevents users from being exposed to unsafe websites when browsing the web.
Tavis Ormandy, a Google Project Zero researcher, was tasked with auditing antivirus softwares. He discovered that AVG’s extension was full of bugs making it completely vulnerable. The extension usually gets installed when someone installs the free or premium version of AVG antivirus package. The extension is being used by more than 9 million people (9,050,432 to be exact).
According to Google’s security research team, the extension leaked browsing history and any other personal data available via Google Chrome. Malicious websites could easily use the extension’s programming weaknesses to obtain all websites that the user was logged on to. In simpler words, hackers could run a script and take control of your Facebook, Gmail or any other websites that you were signed in to.
Other than the above-mentioned problems, man-in-the-middle attacks were also made possible by the extension. The AVG toolbar could be injected with a Javascript linked into webpages making any sort of SSL encryption entirely useless.
According to Ormandy, the issue’s so bad that he stated that,
Apologies for my harsh tone, but I’m really not thrilled about this trash being installed for Chrome users. The extension is so badly broken that I’m not sure whether I should be reporting it to you as a vulnerability, or asking the extension abuse team to investigate if it’s a PuP [potentially unwanted program also known as malware].
Google has banned the extension until they make sure that all vulnerabilities have been removed. Since the news went public, AVG has nuked all the mentioned bugs in version 4.2.4.169. Google has instructed AVG to stop installing the extension automatically. From now on anyone who wants the extension will have to manually install it from the Chrome Web Store. Google’s store teams are also at work to find out if AVG violated any of its store policies.
AVG spokesperson had this to say on the subject “We thank the Google Security Research Team for making us aware of the vulnerability with the Web TuneUp optional Chrome extension. The vulnerability has been fixed; the fixed version has been published and automatically updated to users”.
LoL
And another chaapa ladies and gentlemen, presented to you straight from BBC Tech.