Google slams AVG for exposing Chrome user data with “security” plugin – Ars Technica

Front page layout
Site theme

A free plugin installed by AVG AntiVirus bypassed the security of Google’s Chrome browser, potentially exposing the browsing histories and other personal data of customers to the Internet. The vulnerability, demonstrated in an exploit by a Google researcher earlier this year, has now been patched after initial stumbling attempts by AVG, according to a discussion of the bug in Google’s security research discussion list.
AVG’s “Web TuneUp” tool is a free download from the Chrome Store intended to provide reputation-based protection against malicious websites, and it was “force-installed” by AVG AntiVirus. The install, an “in-line” installation, happened only with user permission, but was performed in a way that broke the security checks Chrome uses to test for malicious plugins and malware.
The plugin works by sending the Web addresses of sites visited by the user to AVG’s servers to check them against a database of known malicious sites. But the way the plugin was constructed meant that information could be easily exploited by an attacker through cross-site scripting [XSS], according to a post by Google Security researcher Tavis Ormandy on December 15.
“This extension adds numerous JavaScript API’s to Chrome, apparently so that they can hijack search settings and the new tab page,” Ormandy wrote. “The installation process is quite complicated so that they can bypass the chrome malware checks, which specifically tries to stop abuse of the extension API. Anyway, many of the API’s are broken.”
Ormandy attached a proof-of-concept exploit that stole the authentication cookies from AVG’s website, which “also exposes browsing history and other personal data to the internet.” Ormandy added, “I wouldn’t be surprised if it’s possible to turn this into arbitrary code execution.”
Ormandy then sent what he described as an “angry e-mail” to AVG about the bugs. “Apologies for my harsh tone, but I’m really not thrilled about this trash being installed for Chrome users,” he wrote to AVG. “The extension is so badly broken that I’m not sure whether I should be reporting it to you as a vulnerability, or asking the extension abuse team to investigate if it’s a PuP [Potentially unwanted Program]. Nevertheless, my concern is that your security software is disabling web security for 9 million Chrome users, apparently so that you can hijack search settings and the new tab page.”
AVG’s developers quickly turned around a fix, but all it did was try to “whitelist” requests only from hosts that contained the string “avg.com” in their name. Malicious websites that used avg.com in their names (such as the example provided on Ormandy’s response, https://www.avg.com.www.attacker.com) could still spoof the AVG servers, and attackers could still use a man-in-the-middle attack to pass malicious JavaScript back to a victim—regardless of whether the connection was secure or not. And, as Ormandy noted, “Any XSS on avg.com can be used to compromise Chrome users”—a quick search of AVG’s sites found plenty of opportunity for such attacks.
As of December 28, AVG had completed a more secure patch, but installations of the plugin were still frozen while Google’s Chrome Web Store team investigated possible policy violations by AVG—violations that could get AVG kicked off the Chrome Store completely.
Update: A Google spokesperson contacted Ars to clarify the nature of the freeze on AVG’s plugin. The block on AVG’s usage of inline installation has no effect on the extension update process, so users with the AVG extension installed should have automatically received the updated version, as with any routine update.
An AVG spokesperson sent a statement to Ars, claiming that the Web TuneUp Chrome extension is “offered as an option, not forcibly or automatically installed. Installation only begins once the customer has initiated the process and confirmed acceptance in Chrome—a double opt-in.” The spokesperson added, “There is no auto-installation of Google Chrome extensions; the “inline” option allows third parties to offer installation from their own site or product, rather than requiring customers to visit the Chrome Store. We fixed the reported vulnerability just prior to the holidays and do not expect Google to confirm the availability of inline installation until early next year. In the meantime, anyone wishing to install the extension may easily do so from the Chrome Store.”
 
Join the Ars Orbital Transmission mailing list to get weekly updates delivered to your inbox.
CNMN Collection
WIRED Media Group
© 2023 Condé Nast. All rights reserved. Use of and/or registration on any portion of this site constitutes acceptance of our User Agreement (updated 1/1/20) and Privacy Policy and Cookie Statement (updated 1/1/20) and Ars Technica Addendum (effective 8/21/2018). Ars may earn compensation on sales from links on this site. Read our affiliate link policy.
Your California Privacy Rights | Do Not Sell My Personal Information
The material on this site may not be reproduced, distributed, transmitted, cached or otherwise used, except with the prior written permission of Condé Nast.
Ad Choices

source

Related Posts

After 6 months and little explanation, Norton Healthcare patients, employees still feeling effects of cyber attack – WDRB

Spotty shower possible. Storms after midnight Updated: April 16, 2024 @ 12:31 pmNorton Healthcare, a company serving about 600,000 patients a year with nearly $5 billion in assets, continues to…

Read more

CA's top cybersecurity job has been vacant for almost 2 years – CalMatters

Technology Californians get hacked all the time. The state’s top cybersecurity job is vacant In summaryGov. Newsom has yet to appoint a commander who is tasked with informing businesses and…

Read more

13 Cyber Security Measures Your Small Business Must Take – Tech.co

Our content is funded in part by commercial partnerships, at no extra cost to you and without impact to our editorial impartiality. Click to Learn MoreCybersecurity has been important to…

Read more

AVG Antivirus Free review – Ghacks

AVG AntiVirus Free is a longstanding security program for Microsoft Windows that protects computer systems from viruses, trojans and other malicious code.One interesting fact about AVG is that it maintains…

Read more

Vlog Episode #247: Chris Long on Improving Technical SEO Skills & Playing Offense SEO – Search Engine Roundtable

In part one, we learned about Chris Long and his experience working with Bill Slawski. Then, in part two, we spoke about helping people with SEO on LinkedIn and using…

Read more

Information Security Vs. Cybersecurity: What's The Difference? – Forbes

Information Security Vs. Cybersecurity: What’s The Difference?  Forbessource

Read more

Leave a Reply

Your email address will not be published. Required fields are marked *