A Chrome extension that AVG AntiVirus automatically installs on users’ systems exposes browsing history and other personal data to the Internet, Google Project Zero researcher Tavis Ormandy has discovered.
According to Ormandy’s report, the Chrome extension, dubbed AVG Web TuneUp and featuring extension id chfdnecihphmhljaaejmgoiahnihplgn, is force-installed on the end-user systems along with the AVG AntiVirus application. The extension adds a series of vulnerabilities to the browser, thus putting its more than 9 million installed users at risk.
The researcher explains that the extension has been designed to add numerous JavaScript API’s to Chrome to hijack search settings and the new tab page, but many of these API’s are broken. Moreover, he notes that the installation process of the extension is so complicated that it can bypass the Chrome malware checks, which have been specifically designed to prevent abuse of the extension API.
Among the vulnerabilities that AVG Web TuneUp brings along, the researcher mentions a “trivial universal” XSS (Cross-Site Scripting) in the “navigate” API, which could allow websites to execute scripts in the context of any other domains. According to Ormandy, a website could read emails from mail.google.com and perform other actions as well because of this high-severity flaw.
The Google Project Zero researcher also explains that the “recently” API extension exposes the browsing history of a user to the Internet. He also notes that the vulnerable extension and APIs might also be used for Remote Code Execution, should one dedicate enough time and effort into finding the right issues with them.
Ormandy, who has been working with AVG for the past few weeks to resolve the flaws in this extension, also managed to create an exploit that steals cookies from avg.com. He also rejected an initial fix for the vulnerability, which only checked “if the message origin contains the string .avg.com.”
He went on saying that the extension was still allowing a man-in-the-middle (MitM) attacker to inject JavaScript into *any* origin, even a secure origin (HTTPS sites), thus denying SSL protection to those who use the extension. Moreover, the researcher explained that any XSS on avg.com could be used to compromise Chrome users.
AVG appears to have resolved the security issues in version 4.2.5.169 of the AVG Web TuneUp Chrome extension. However, the Chrome Web Store team has disabled inline installations for this extension, meaning that users need to access the store and download the updated version manually. In the meantime, the Chrome Web Store team is investigating possible policy violations, Ormandy says.
Earlier this month, data exfiltration prevention firm enSilo revealed that a serious vulnerability found in AVG Internet Security 2015 could have been exploited by malicious actors to bypass Windows protection features. Security products such as Kaspersky’s Anti-Virus 2015 MR2 and Internet Security 2015 MR2, and Intel Security’s McAfee VirusScan Enterprise version 8.8 were also affected by the flaw.