AVG’s Web TuneUp extension which is auto installed exposes Chrome user’s browsing history
If you are a AVG user your browsing history may be visible to prying eyes. No, AVG is not the problem but a Chrome extension that is auto installed with AVG is. AVG Web TuneUp Chrome extension which is forcibly added to Google Chrome browser when users were installing the AVG antivirus, had a serious flaw that allowed attackers view user’s browsing history, cookies, and more.
The vulnerability was discovered by serial bug finder and Google Project Zero researcher Tavis Ormandy. Ormandy  has reported, the AVG Web TuneUp extension which is auto installed when a user installs AVG anti-virus and has little over nine million users on its Chrome Web Store page, was vulnerable to XSS (cross-site scripting) attacks. Ormandy says that potential hacker who is aware of this vulnerability could access a user’s cookies, browsing history, and various other details.
“This extension adds numerous JavaScript APIs to Chrome, apparently so that they can hijack search settings and the new tab page,” Ormandy stated, “The installation process is quite complicated so that they [AVG] can bypass the Chrome [Store] malware checks, which specifically tries to stop abuse of the [Chrome] Extension API.”
Ormandy blamed the half baked extension for the vulnerability. He found that many of the custom JavaScript APIs added to Chrome by this extension are responsible for the security issue. Ormandy says that this APIs are broken or poorly written, allowing potential hackers to access to Chrome user’s personal details. Ormandy says that AVG’s developers ignored or failed to protect their users against simple cross-domain requests, allowing code hosted on one domain to be executed in the context of another URL.
In theory, exploiting this flaw could give hackers access to data stored on other websites, such as Gmail, Yahoo, banking websites, and more of the bunch. However to do that the hacker has to convince the Chrome browser user to visit a specially crafted malicious website. Websites hosted on HTTPS were also susceptible, Ormandy stating that users of this extension “have SSL disabled.”
Ormandy says that he has already informed AVG about this flaw and the newly released version 4.2.5.169 of AVG Web TuneUp contains a fix for this flaw.
Also, Google has blocked AVG’s ability to carry out inline installations of this extension. This means that users who want to install the extension have to go to the Chrome Web Store and trigger the download with a click.
Additionally, the Chrome Web Store team is also investigating AVG for possible Web Store policy violations.
If you are using either AVG or Web TuneUp, it is recommended that you upgrade your version immediately.
