Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

AVG Chrome Extension Exposes User Data

A Chrome extension that AVG AntiVirus automatically installs on users’ systems exposes browsing history and other personal data to the Internet, Google Project Zero researcher Tavis Ormandy has discovered.

A Chrome extension that AVG AntiVirus automatically installs on users’ systems exposes browsing history and other personal data to the Internet, Google Project Zero researcher Tavis Ormandy has discovered.

According to Ormandy’s report, the Chrome extension, dubbed AVG Web TuneUp and featuring extension id chfdnecihphmhljaaejmgoiahnihplgn, is force-installed on the end-user systems along with the AVG AntiVirus application. The extension adds a series of vulnerabilities to the browser, thus putting its more than 9 million installed users at risk.

The researcher explains that the extension has been designed to add numerous JavaScript API’s to Chrome to hijack search settings and the new tab page, but many of these API’s are broken. Moreover, he notes that the installation process of the extension is so complicated that it can bypass the Chrome malware checks, which have been specifically designed to prevent abuse of the extension API.

Among the vulnerabilities that AVG Web TuneUp brings along, the researcher mentions a “trivial universal” XSS (Cross-Site Scripting) in the “navigate” API, which could allow websites to execute scripts in the context of any other domains. According to Ormandy, a website could read emails from mail.google.com and perform other actions as well because of this high-severity flaw.

The Google Project Zero researcher also explains that the “recently” API extension exposes the browsing history of a user to the Internet. He also notes that the vulnerable extension and APIs might also be used for Remote Code Execution, should one dedicate enough time and effort into finding the right issues with them.

Ormandy, who has been working with AVG for the past few weeks to resolve the flaws in this extension, also managed to create an exploit that steals cookies from avg.com. He also rejected an initial fix for the vulnerability, which only checked “if the message origin contains the string .avg.com.”

He went on saying that the extension was still allowing a man-in-the-middle (MitM) attacker to inject JavaScript into *any* origin, even a secure origin (HTTPS sites), thus denying SSL protection to those who use the extension. Moreover, the researcher explained that any XSS on avg.com could be used to compromise Chrome users.

AVG appears to have resolved the security issues in version 4.2.5.169 of the AVG Web TuneUp Chrome extension. However, the Chrome Web Store team has disabled inline installations for this extension, meaning that users need to access the store and download the updated version manually. In the meantime, the Chrome Web Store team is investigating possible policy violations, Ormandy says.

Advertisement. Scroll to continue reading.

Earlier this month, data exfiltration prevention firm enSilo revealed that a serious vulnerability found in AVG Internet Security 2015 could have been exploited by malicious actors to bypass Windows protection features. Security products such as Kaspersky’s Anti-Virus 2015 MR2 and Internet Security 2015 MR2, and Intel Security’s McAfee VirusScan Enterprise version 8.8 were also affected by the flaw.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.