AVG’s Web TuneUp extension which is auto installed exposes Chrome user’s browsing history
If you are a AVG user your browsing history may be visible to prying eyes. No, AVG is not the problem but a Chrome extension that is auto installed with AVG is. AVG Web TuneUp Chrome extension which is forcibly added to Google Chrome browser when users were installing the AVG antivirus, had a serious flaw that allowed attackers view user’s browsing history, cookies, and more.
The vulnerability was discovered by serial bug finder and Google Project Zero researcher Tavis Ormandy. Ormandy has reported, the AVG Web TuneUp extension which is auto installed when a user installs AVG anti-virus and has little over nine million users on its Chrome Web Store page, was vulnerable to XSS (cross-site scripting) attacks. Ormandy says that potential hacker who is aware of this vulnerability could access a user’s cookies, browsing history, and various other details.
In theory, exploiting this flaw could give hackers access to data stored on other websites, such as Gmail, Yahoo, banking websites, and more of the bunch. However to do that the hacker has to convince the Chrome browser user to visit a specially crafted malicious website. Websites hosted on HTTPS were also susceptible, Ormandy stating that users of this extension “have SSL disabled.”
Ormandy says that he has already informed AVG about this flaw and the newly released version 220.127.116.11 of AVG Web TuneUp contains a fix for this flaw.
Also, Google has blocked AVG’s ability to carry out inline installations of this extension. This means that users who want to install the extension have to go to the Chrome Web Store and trigger the download with a click.
Additionally, the Chrome Web Store team is also investigating AVG for possible Web Store policy violations.
If you are using either AVG or Web TuneUp, it is recommended that you upgrade your version immediately.