AVG’s Chrome Extension Security Flaw Left Millions At Risk

A vulnerability that was discovered is a “Trivial universal” XSS in the navigate API that can let websites execute scripts in any other territories. A litany of user complaints have erupted in recent years, most of which say the same things: AVG’s supplementary software – Web TuneUp, SafeSearch, and the like – are security disasters and rampantly disliked.

Ormandy said that he has contacted AVG regarding the issue by sending what he describes as an angry email.

AVG responded with a fix several days later but it was rejected as it did not resolve the issue completely. Given the company’s track record, users might be better off steering clear of any extensions that it has to offer. It would mean that attackers would access to data stored on other websites, such as Gmail, Yahoo, banking websites.

The Google researcher’s verdict was damning: “I’m really not thrilled about this trash being installed for Chrome users… your security software is disabling web security for 9 million Chrome users, apparently so that you can hijack search settings and the new tab page”.

According to Ormandy, the extension leaked “browsing history and other personal data to the internet”.

It would be interesting to see how beneficial, or not, all those security software extensions are that get installed alongside antivirus software. Looks like they need to get Google’s trust back up. If you haven’t updated already, then perhaps you should. In the meantime, Google blocked AVG’s ability to carry out inline installations of this extension. AVG deliberately set the extension up to bypass this vetting, apparently to give it the option of changing the user’s search settings and the page that appears when they open a new tab. “The extension is so badly broken that I’m not sure whether I should be reporting it to you as a vulnerability, or asking the extension abuse team to investigate if it’s a PuP”.

But earlier this month, Google’s security team spotted that it was overriding safety features built into the search firm’s Chrome browser.

“We thank the Google Security Research Team for making us aware of the vulnerability with the Web TuneUp optional Chrome extension”, AVG said in a statement. This means that users daft enough to want to install the extension have to go to the Chrome Web Store and trigger the download with a click.