AVG Extension for Google Chrome Opens Massive Security Vulnerability

The Associated Press
The Associated Press

For almost 9 million users of Chrome, AVG’s “Web TuneUp” extension has become a major security concern.

AVG is one of the most popular antivirus utilities available. It consistently ranks among the top security utilities available and rates a comfortable third place on Download.com’s most downloaded with over half a billion total downloads from that site alone. The utility’s downfall may be its hubris — earlier this month, a glaring flaw was revealed in the security of a browser extension meant to fix browser security issues.

Worse yet, the extension meant to “tune up” your web security was forcibly installing itself when you installed the AVG antivirus, with no way to choose not to let it alter your browser settings. How big is the hole? Big enough that it would allow access to your e-mail, browsing history, and other personal information with a “trivial” level of effort.

Tavis Ormandy of Google was the first to spot the problem:

Apologies for my harsh tone, but I’m really not thrilled about this trash being installed for Chrome users. The extension is so badly broken that I’m not sure whether I should be reporting it to you as a vulnerability, or asking the extension abuse team to investigate if it’s a PuP.

Nevertheless, my concern is that your security software is disabling web security for 9 million Chrome users, apparently so that you can hijack search settings and the new tab page.

When AVG responded four days later with a “fix,” it was so inadequate that it did no more than check for a piece of an address. A piece that, as Ormandy notes in his reply, “anyone can put [in] their hostname. This simply doesn’t protect against the original problem we described.”

AVG’s later attempts were only marginally better. They reduced the gap to whitelisting a couple of their own servers, which restricted only those with access to those addresses “permission to compromise the entire internet.” That’s not hyperbole, it’s a very blunt phrasing of a massive problem.

Despite confessing that he isn’t “a web security expert,” Ormandy found flaws within this updated fix in “under a minute of looking.” Any wrong step related to these domains, even a single bug in their use, could potentially compromise an AVG users’ “banking, email, everything.”

AVG’s lackadaisical attitude toward a piece of software they forcibly added to millions of customers’ browsers is disheartening at best, but more recent updates seem to have largely fixed the issue. In response to the security debacle, however, AVG is no longer allowed to automatically install anything on Chrome for the foreseeable future.

Follow Nate Church @Get2Church on Twitter for the latest news in gaming and technology, and snarky opinions on both.


Please let us know if you're having issues with commenting.