AVG's Chrome extension exposed users' data

A vulnerability was discovered in AVG's Web TuneUp, a Chrome extension that installs itself once the user installs the AVG antivirus software.

IT was since fixed, but according to Google Project Zero researcher Tavis Ormandy who discovered a vulnerability, it exposed users' browsing history, cookies and personal data to potential attackers.

The extension has nine million active users.

“This extension adds numerous JavaScript API's to chrome, apparently so that they can hijack search settings and the new tab page,” wrote Ormandy in the bug report. “The installation process is quite complicated so that they can bypass the chrome malware checks, which specifically tries to stop abuse of the extension API.”

"Anyway, many of the API's are broken, the attached exploit steals cookies from avg.com. It also exposes browsing history and other personal data to the internet, I wouldn't be surprised if it's possible to turn this into arbitrary code execution.”

He later added: “I believe this issue is resolved now, but inline installations are disabled while the CWS team investigate possible policy violations.”

SCMagazine.com obtained an email response from AVG. "We thank the Google Security Research Team for making us aware of the vulnerability with the Web TuneUp optional Chrome extension," wrote AVG. "The vulnerability has been fixed; the fixed version has been published and automatically updated to users.”

Travis Ormandy was involved in the discovery of vulnerabilities in Kaspersky's anti-virus product in September. He was also involved in the discovery of a critical vulnerability in FireEye network security devices earlier this month.