Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

AVG Chrome Extension Exposes User Data:Security Week


  • Please log in to reply
5 replies to this topic

#1 JohnC_21

JohnC_21

  • Members
  • 22,650 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:44 AM

Posted 29 December 2015 - 07:11 PM

A Chrome extension that AVG AntiVirus automatically installs on users’ systems exposes browsing history and other personal data to the Internet, Google Project Zero researcher Tavis Ormandy has discovered.

According to Ormandy’s report, the Chrome extension, dubbed AVG Web TuneUp and featuring extension id chfdnecihphmhljaaejmgoiahnihplgn, is force-installed on the end-user systems along with the AVG AntiVirus application. The extension adds a series of vulnerabilities to the browser, thus putting its more than 9 million installed users at risk.

The researcher explains that the extension has been designed to add numerous JavaScript API's to Chrome to hijack search settings and the new tab page, but many of these API’s are broken. Moreover, he notes that the installation process of the extension is so complicated that it can bypass the Chrome malware checks, which have been specifically designed to prevent abuse of the extension API.

Among the vulnerabilities that AVG Web TuneUp brings along, the researcher mentions a “trivial universal” XSS (Cross-Site Scripting) in the "navigate" API, which could allow websites to execute scripts in the context of any other domains. According to Ormandy, a website could read emails from mail.google.com and perform other actions as well because of this high-severity flaw.

 

Article



BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,964 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:44 AM

Posted 29 December 2015 - 07:40 PM

And another reason I will add to my growing list for not recommending AVG.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,485 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:44 AM

Posted 31 December 2015 - 11:36 AM

Another article on ArsTechnica.

http://arstechnica.com/security/2015/12/google-slams-avg-for-exposing-chrome-user-data-with-security-plugin/

I wonder when Antivirus will cut that crap (with useless, vulnerable and borderline PUP "web extensions"). AVG is the worst: AVG PC TuneUp, AVG Web TuneUp, AVG Secure Search, publicly selling data to advertisement companies to make sure that "AVG Free stays free". AVG is really hitting the bottom of the barrel now, and I don't expect it to get back up in 2016.

Edit: And another one on The Register.

http://www.theregister.co.uk/2015/12/29/avg_google_chrome_extension/

Edited by Aura, 31 December 2015 - 11:37 AM.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,964 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:44 AM

Posted 31 December 2015 - 03:21 PM

As long as a product is offered free, users have to put up with the crap if they want to use the software. If the product is one you pay for, users speak with their wallets.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 PhotoAce

PhotoAce

  • Members
  • 165 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Zealand
  • Local time:06:44 PM

Posted 02 January 2016 - 02:29 PM

Hmmm....I have AVG antivirus paid version, and the only extension turned on in Chrome is Adblock Plus. I don't have any of the other AVG products.


Edited by PhotoAce, 02 January 2016 - 02:53 PM.


#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,964 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:44 AM

Posted 02 January 2016 - 02:50 PM

IMO AVG PC TuneUp, AVG Web TuneUp, AVG Secure Search are not only unnecessary but junkware users should avoid.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users