Previous Story
Million At Risk from Browser Security Tool
Posted On Jan 01 2016
Comment: Off
The API extension also exposes the browsing history of a user to the internet and can be used for Remote Code Execution. That’s exactly what happened to users of AVG Antivirus, recently. While AVG did inform users about the installation of the extension and asks for their permission, Google notes that the installation is carried out such that it breaks the security checks Chrome uses to test for malicious plugins and malware.
One of AVG’s Chrome addons, Web TuneUP had a security hole that your could drive a tank into, something that could potentially let websites with malicious code in their CSS take control of your PC, though only in a trivial manner.
The Amsterdam-based cybersecurity firm released a statement saying that it is thanking the tech giant’s Security Research Team for informing it of the problems with its former Web TuneUp optional Chrome extension tool.
As gHacks explains, AVG’s extension was always problematic.
“Apologies for my harsh tone, but I’m really not thrilled about this trash being installed for Chrome users”, Ormandy wrote in a forum.
Even better, there’s no more “force installing”.
“The extension is so badly broken that I’m not sure whether I should be reporting it to you as a vulnerability, or asking the extension abuse team to investigate if it’s a PuP [potentially unwanted program aka malware]”.
After discovering the problem, Ormandy wrote a letter to AVG, highlighting the issue and advising the company to fix the problem immediately. If you want it, you’ll have to download it manually from the Chrome store.
It would mean that attackers would access to data stored on other websites, such as Gmail, Yahoo, banking websites.
AVG’s tool has been banned from automatically installing its extension when a user installs the company’s antivirus software. As the Google employee pointed out in a second report, anyone can add that to their domain and because it does not check for a secure origin, it is vulnerable to man-in-the-middle attacks, effectively disabling SSL. The vulnerability, demonstrated in an exploit by a Google researcher earlier this year, has now been patched after initial stumbling attempts by AVG, according to a discussion of the bug in Google’s security research discussion list.
A further patch was submitted by AVG on December 28, but it remains under review by Google as they seek to investigate whether or not AVG’s plugin violated the privacy terms of the Chrome Web Store.
