AVG Forcibly Installs Vulnerable Chrome Extension That Exposes Users' Browsing History

[Exterminator]

Source: AVG Forcibly Installs Vulnerable Chrome Extension That Exposes Users' Browsing History

AVG installs poorly-written Chrome extension
The AVG Web TuneUp Chrome extension, forcibly added to Google Chrome browsers when users were installing the AVG antivirus, had a serious flaw that allowed attackers to get the user's browsing history, cookies, and more.

The vulnerability was discovered by Google Project Zero researcher, Tavis Ormandy, who worked with AVG for the past two weeks to fix the issue.

AVG Web TuneUp vulnerable to an universal XSS
As Mr. Ormandy explains in his bug report, the AVG Web TuneUp extension, which lists over nine million users on its Chrome Web Store page, was vulnerable to trivial XSS (cross-site scripting) attacks.

Attackers aware of this problem would have been able to access a user's cookies, browsing history, and various other details exposed via Chrome.

"This extension adds numerous JavaScript APIs to Chrome, apparently so that they can hijack search settings and the new tab page," explains Mr. Ormandy. "The installation process is quite complicated so that they [AVG] can bypass the Chrome [Store] malware checks, which specifically tries to stop abuse of the [Chrome] Extension API."

A half-baked Chrome extension
During his research, Mr. Ormandy discovered that many of the custom JavaScript APIs added to Chrome by this extension are responsible for the security issue, being broken or poorly written, allowing attackers access to personal details.

AVG's developers ignored or failed to protect their users against simple cross-domain requests, allowing code hosted on one domain to be executed in the context of another URL.

Theoretically, this would give attackers access to data stored on other websites, such as Gmail, Yahoo, banking websites, and more of the such. All that attackers had to do was to convince a user to access a malicious URL.

The extension rendered HTTPS connections useless
Websites hosted on HTTPS were also susceptible, Mr. Ormandy stating that users of this extension "have SSL disabled."

Version 4.2.5.169 of AVG Web TuneUp fixed this issue. In the meantime, Google blocked the ability for AVG to carry out inline installations of this extension. This means that users that want to install the extension, have to go to the Chrome Web Store and trigger the download with a click.

Additionally, the Chrome Web Store team is also investigating AVG for possible Web Store policy violations.

 

[frogboy]

Gee you would think AVG would do better than this, a poor effort.

 

[Kuttz]

Free Anti Virus softwares are getting exposed day by day. I think these free anti virus vendors are competing each other to see who is more worst

 

[omidomi]

come on AVG
this is why i said AVG not good

 

[CMLew]

AVG was a good AV long time ago. In fact it was my first free AV installed. But as time goes by I felt it gets more and more limited and then start to get bloated. Thats where I hv to bid farewell (and hello Bitdefender!).

 

[SloppyMcFloppy]

AVG was a good AV long time ago. In fact it was my first free AV installed. But as time goes by I felt it gets more and more limited and then start to get bloated. Thats where I hv to bid farewell (and hello Bitdefender!).

Bitdefender say: ONE OF US! ONE OF US! ONE OF US!

 

[CMLew]

Bitdefender say: ONE OF US! ONE OF US! ONE OF US!

I used to be Bitdefender fans because it's cheap.

Previously I started of with Norton (back in 2001/2002) > AVG > Bitdefender / Kaspersky.

Which is why to me AVG at that time is a big deal (I'm a student then). Detection wise AVG wasn't bad, pretty good though. I pair it with Norton Utilities and Ghost at that time.

 

[Azure]

Free Anti Virus softwares are getting exposed day by day. I think these free anti virus vendors are competing each other to see who is more worst

Well, free antivirus aren't the only ones that like to have addons/extensions. Paid ones, like Kaspersky and Webroot, also do that.

 

[Anupam]

This is one of the reason I do not install extension in my browser. Only extension I have is Ad Blocker Plus. I always prefer DNS based malware blocking approach because that is faster and less risky. So as now for protection, I have

1. Norton DNS
2. Ad Block Plus
3. 360 Security Essential
4. Sanboxed Chrome
5. Windows Firewall
6. GlassWire Firewall.

AVG is getting worse day by day. Earlier I used to be a fan boy of AVG when I was in college. But now even if I get free AVG Internet Security license still I won't go with AVG.

 

[Deleted member 178]

Free Anti Virus softwares are getting exposed day by day. I think these free anti virus vendors are competing each other to see who is more worst

come on AVG
this is why i said AVG not good

it is why i say " AVs are bad"

 

[Crystal_Lake_Camper]

so once again AVG has made a miscalculation and it's wood for the chipper again. its a shame some people see this as another excuse , to bash the company again. while they are not even the only company who does stupid things from time to time. meanwhile I have reported this to the proper people , over at the AVG labs , hoping they will fix this soon and calm down this storm!!

just got word from our community manager : AVG was notified about this flaw and a few hours later it was corrected by the devellopment team.

 

[frogboy]

I just finished installing AVG IS 2016 on a machine and did not get a browser ext at all.

 

[Andrew999]

that is why

 

[omidomi]

I do't suggest these avs:
Qihoo(cheater company)
AVG(NSA worker)
McAfee(private reason )
Symantec(blocked iranian people with no reason)
Bitdefender(buggy)
another software are good:
Emsisoft
Dr.Web
Kaspersky
Webroot
Trend Micro
Eset
Comodo
Panda
...

 

[jamescv7]

AVG in security is not a problem for them but rather implementation takes a problem that sometimes even though isolated from overall performance but reputation is bind the overall framework.

Very poor actions.

 

[soccer97]

Economics: There's no such thing as a free lunch. Someone gives up something in exchange for that 'lunch'. AVG announced that they would be collecting users data earlier this year, and they have continued with that promise. I would encourage people not to use them if you value your privacy (and security as it is a buggy/vulnerable browser extension which could be a potential target).

 

[Anupam]

I just finished installing AVG IS 2016 on a machine and did not get a browser ext at all.

They will ask for it after some time. When I installed last time ( around 2 months back) suddenly I got a pop-up saying "Bla Bla you are vulnerable Bla bla Click Yes to Install AVG search Bla bla " . When I clicked on Yes I was in Deep Yellow smelly thing. All my browsers were hijacks and I had to uninstall AVG.

 

[Kiwimike]

While I'll admit this was all AVG's fault. This is not rare for other anti virus companies to have vulnerabilities in their software, it's a standard fact.
Having anti virus software on your system is not only a benefit but also a risk as it opens up vulnerabilities, as all software installed on your system does.
I would also have to say, I think AVG is one of the best antiviruses out there, they have got a lot of adware-like tools which makes me a bit hesitant. But as someone who has used their products for a long period and also considers myself very fluent with their software.
I think that they've got a great Self-Defense module, they've got great detection, they've got great removal capabilities and also contains great behavioural detection.
AVG's behavioural detection relies on several layers including an emulation layer, a restriction layer etc. These help prevent malware from taking over the system.

I'm sorry for getting carried away, I just dislike when people say AVG is bad compared to this or that. Because the honest truth as @Umbra started, AV's are bad
This is true for ALL av's. I once had an idea years ago, that 10-15years down the line antivirus software would be rendered completely useless and security software would take on a new same and would contain no signature detection.

I think that is true, otherwise these bugs happen. Because anti virus software should be able to prevent other applications from getting exploited. That's also the hard part, because so many of them use signatures and are already so invested in the system.
I think we will unfortunately, need to have a new security company take over the space.

 

[Anupam]

While I'll admit this was all AVG's fault. This is not rare for other anti virus companies to have vulnerabilities in their software, it's a standard fact.
Having anti virus software on your system is not only a benefit but also a risk as it opens up vulnerabilities, as all software installed on your system does.
I would also have to say, I think AVG is one of the best antiviruses out there, they have got a lot of adware-like tools which makes me a bit hesitant. But as someone who has used their products for a long period and also considers myself very fluent with their software.
I think that they've got a great Self-Defense module, they've got great detection, they've got great removal capabilities and also contains great behavioural detection.
AVG's behavioural detection relies on several layers including an emulation layer, a restriction layer etc. These help prevent malware from taking over the system.

I'm sorry for getting carried away, I just dislike when people say AVG is bad compared to this or that. Because the honest truth as @Umbra started, AV's are bad
This is true for ALL av's. I once had an idea years ago, that 10-15years down the line antivirus software would be rendered completely useless and security software would take on a new same and would contain no signature detection.

I think that is true, otherwise these bugs happen. Because anti virus software should be able to prevent other applications from getting exploited. That's also the hard part, because so many of them use signatures and are already so invested in the system.
I think we will unfortunately, need to have a new security company take over the space.

How about Emsisoft? It never install any browser plugins / PUPs and it's best when it comes to Privacy.

When some antivirus puts browser extension it need to make sure it's of good quality because Browsers are the best medium for malicious activity when you surf internet. I am not saying only AVG but I am again most of the AVs those try to install any short of Browser Addon.

 

[SloppyMcFloppy]

I do't suggest these avs:
Qihoo(cheater company)
AVG(NSA worker)
McAfee(private reason )
Symantec(blocked iranian people with no reason)
Bitdefender(buggy)
another software are good:
Emsisoft
Dr.Web
Kaspersky
Webroot
Trend Micro
Eset
Comodo
Panda
...

Panda install browser extension without any user consent, and its two files had been detected as PUPs with 17/54 on virustotal.com. Also, Dr.Web marked Youtube as adult content/violence.
Scan report for https://www.youtube.com/ at 2015-12-30 07:48:24 UTC - VirusTotal ( Go to the information tab and see what Dr.Web put Youtube in ridiculous category.)

Panda Browser Extensions 2 files.
Antivirus scan for edb633f30955afe8049ef9dd5de64e5f796f000e4b4c95ef552b6ef430e141ae at 2015-12-28 16:03:06 UTC - VirusTotal

Antivirus scan for edb633f30955afe8049ef9dd5de64e5f796f000e4b4c95ef552b6ef430e141ae at 2015-12-28 16:03:06 UTC - VirusTotal