AVG’s Web Tuneup, a plugin that is supposed to protect users from online threats, has turned out to be a major security flaw that exposes users’ browsing history and personal data to hackers. The plugin works by sending addresses of sites visited by users to AVG’s servers in order to check them against AVG’s database of malicious sites. However, Google’s security team noted that the plugin was overriding safety features built into the search firm’s Chrome browser.
The team also found that hackers could hijack the data by using a technique known as cross-site scripting (XXS). This method allows attackers to inject malicious scripts into trusted web pages viewed by other users. XXS is also used to bypass access controls such as same-origin policy.
Google security researcher, Tavis Ormandy, highlighted that Web Tuneup was “force-installed” by AVG antivirus into Chrome, and as a result, Google confirmed that nine million Chrome users were affected.
Tavis wrote to AVG regarding the issue saying: “Apologies for my harsh tone, but I’m really not thrilled about this trash being installed for Chrome users.
My concern is that your security software is disabling web security for nine million Chrome users, apparently so that you can hijack search settings and the new tab page. I hope the severity of this issue is clear to you, fixing it should be your highest priority.”
Although AVG has addressed the problem, Tavis’ message shows that its attempt did not work after all. AVG later stated that: “We thank the Google Security Research Team for making us aware of the vulnerability with the Web TuneUp optional Chrome extension.”
The company has since updated the plugin to fix the vulnerability. The fix was done before Christmas and users should automatically receive the updated version of Web Tuneup. Additionally, the plugin will no longer be force-installed for new users of AVG antivirus.
(Source: BBC via HardwareZone)
