BT

New Early adopter or innovator? InfoQ has been working on some new features for you. Learn more

AVG Plugin Exposes Chrome User Data

| by Jeff Martin Follow 4 Followers on Dec 31, 2015. Estimated reading time: 1 minute |

Anti-virus firm AVG released a plug-in for Google Chrome that purposefully overrode the web browser's safeguards that resulted in leaving user data exposed to malicious websites.  The plugin, named AVG Web TuneUp ostensibly is intended to warn users when they are visiting unsafe websites and/or search results.  Instead the plugin leaves users vulnerable to cross-site scripting attacks if they visit a malicious website that targets flaws in the AVG plugin.

Per the investigative work of Google security researcher Tavis Ormandy, it has been revealed that users of the AVG plugin will find that their systems are vulnerable to having their browsing history and personal data stolen by a malicious website.  As Ormandy notes, AVG’s extension specifically bypasses the Chrome malware checks rendering user’s systems vulnerable.  In a follow up on December 21 to his original post, Ormandy states that the latest version of AVG’s Web TuneUp now available (4.2.5.169) does fix the initial problem.  However it does so in part by forcing the plugin to only use the domains “mysearch.avg.com” and “webtuneup.avg.com”—the risk is not completely eliminated because if these sites are compromised, the vulnerability can still be exploited.

A further patch was submitted by AVG on December 28, but it remains under review by Google as they seek to investigate whether or not AVG’s plugin violated the privacy terms of the Chrome Web Store.  Users seeking the highest degree of safety should probably remove the plugin from their browser while the issue is resolved.  This isn’t AVG’s first brush with undesired attention, earlier this fall PC World’s Jared Newman pointed out that changes in their privacy policy meant that AVG was selling their user’s non-personal data.

Rate this Article

Adoption Stage
Style

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Tell us what you think

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread
Community comments

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Discuss

Login to InfoQ to interact with what matters most to you.


Recover your password...

Follow

Follow your favorite topics and editors

Quick overview of most important highlights in the industry and on the site.

Like

More signal, less noise

Build your own feed by choosing topics you want to read about and editors you want to hear from.

Notifications

Stay up-to-date

Set up your notifications and don't miss out on content that matters to you

BT