Google slams AVG for exposing Chrome user data with “security” plugin

A free plugin installed by AVG AntiVirus bypassed the security of Google’s Chrome browser, potentially exposing the browsing histories and other personal data of customers to the Internet. The vulnerability, demonstrated in an exploit by a Google researcher earlier this year, has now been patched after initial stumbling attempts by AVG, according to a discussion of the bug in Google’s security research discussion list.

AVG’s “Web TuneUp” tool is a free download from the Chrome Store intended to provide reputation-based protection against malicious websites, and it was “force-installed” by AVG AntiVirus in a way that broke the security checks Chrome uses to test for malicious plugins and malware. The plugin works by sending the Web addresses of sites visited by the user to AVG’s servers to check them against a database of known malicious sites. But the way the plugin was constructed meant that information could be easily exploited by an attacker through cross-site scripting [XSS], according to a post by Google Security researcher Tavis Ormandy on December 15.

“This extension adds numerous JavaScript API’s to Chrome, apparently so that they can hijack search settings and the new tab page,” Ormandy wrote. “The installation process is quite complicated so that they can bypass the chrome malware checks, which specifically tries to stop abuse of the extension API. Anyway, many of the API’s are broken.”

Ormandy attached a proof-of-concept exploit that stole the authentication cookies from AVG’s website, which “also exposes browsing history and other personal data to the internet.” Ormandy added, “I wouldn’t be surprised if it’s possible to turn this into arbitrary code execution.”

Source: Google slams AVG for exposing Chrome user data with “security” plugin

Advertisement