Critical Security Flaw in AVG Chrome Extension Exposes Millions of Users Data

Critical Security Flaw in AVG Chrome Extension Exposes Millions of Users Data

Google is developing a new Open Source OS that’s not based on Linux
Google Publicize Windows Zero-Day Vulnerability Before Microsoft Could Patch It
Google Asked to Remove 558 Million “Pirate” Links from Search Results in 2015

Popular antivirus company, AVG who oath to protect our online security and keep our data safe is actually turns out to expose millions of users data because of a critical security flaw in its Chrome extension. It seems that if you have been using AVG’s Web TuneUp Chrome extension, there is a good chance that you could have been exposed.

Because of the security flaw Google has banned AVG from automatically installing its Web TuneUp Chrome extension. Report says that about 9 million users data has been exposed because of this critical security flaw.

Also Read : Former Yandex Employee Arrested for Trying to Sell Search Engine Source Code for $25,000

Tavis Ormandy – a Google Project Zero researcher who has been auditing antivirus software – found the extension was riddled with vulnerabilities. Web TuneUp is installed with AVG’s antivirus package, and attempts to stop Chrome users from surfing to websites hosting malware. It is used by 9,050,432 people.

Security Flaw in AVG Web TuneUp Chrome Extension

According to Ormandy, the extension leaked “browsing history and other personal data to the internet.” Malicious websites could exploit the toolbar’s programming blunders to access other websites a user was logged into. In other words, a script running on a webpage in a tab could invisibly access, say, mail.google.com as the user, and hijack the victim’s webmail inbox. And, we’re told, man-in-the-middle miscreants could abuse Web TuneUp to inject any JavaScript they liked into webpages fetched over the network, effectively rendering any SSL encryption useless.

Also Read : Top High-Profile Hacking Attacks of 2015

” This extension adds numerous JavaScript API’s to chrome, apparently so that they can hijack search settings and the new tab page. The installation process is quite complicated so that they can bypass the chrome malware checks, which specifically tries to stop abuse of the extension API. Anyway, many of the API’s are broken, the attached exploit steals cookies from avg.com. It also exposes browsing history and other personal data to the internet, I wouldn’t be surprised if it’s possible to turn this into arbitrary code execution. “ — said by Ormandy

AVG nuked the reported vulnerabilities in version 4.2.5.169 of Web TuneUp, which was released last week. However, it is understood AVG is no longer allowed to install the extension automatically – it must be fetched manually from the Chrome Web Store if users really want it – and that the store team is investigating the widget for potential Google policy violations.

“We thank the Google Security Research Team for making us aware of the vulnerability with the Web TuneUp optional Chrome extension. The vulnerability has been fixed; the fixed version has been published and automatically updated to users,”  —  an AVG spokesperson told The Register.

As of today, the issue has been closed. That’s certainly good news for Chrome users that are running Web TuneUp, though it might not be a bad idea for those folks to just head to their extensions page and remove it entirely.

Also Read : Enemies of Internet Freedom – Government Organizations Around the World who Monitor our Online Activities

Are you using Web TuneUp Chrome extension? Then its the time to remove it. 

COMMENTS

WORDPRESS: 0