Skip to main content

AVG's Chrome extension exposed users' data

A vulnerability was discovered in AVG's Web TuneUp, a Chrome extension that installs itself once the user installs the AVG antivirus software.

IT was since fixed, but according to Google Project Zero researcher Tavis Ormandy who discovered a vulnerability, it exposed users' browsing history, cookies and personal data to potential attackers.

The extension has nine million active users.

“This extension adds numerous JavaScript API's to chrome, apparently so that they can hijack search settings and the new tab page,” wrote Ormandy in the bug report (opens in new tab). “The installation process is quite complicated so that they can bypass the chrome malware checks, which specifically tries to stop abuse of the extension API.”

"Anyway, many of the API's are broken, the attached exploit steals cookies from It also exposes browsing history and other personal data to the internet, I wouldn't be surprised if it's possible to turn this into arbitrary code execution.”

He later added: “I believe this issue is resolved now, but inline installations are disabled while the CWS team investigate possible policy violations.” obtained an email response from AVG. "We thank the Google Security Research Team for making us aware of the vulnerability with the Web TuneUp optional Chrome extension," wrote AVG. "The vulnerability has been fixed; the fixed version has been published and automatically updated to users.”

Travis Ormandy was involved in the discovery of vulnerabilities in Kaspersky's anti-virus product in September. He was also involved in the discovery of a critical vulnerability in FireEye network security devices earlier this month.

Sead Fadilpašić is a freelance tech writer and journalist with more than 17 years experience writing technology-focussed news, blogs, whitepapers, reviews, and ebooks. And his work has featured in online media outlets from all over the world, including Al Jazeera Balkans (where he was a Multimedia Journalist), Crypto News, TechRadar Pro, and IT Pro Portal, where he has written news and features for over five years. Sead's experience also includes writing for inbound marketing, where he creates technology-based content for clients from London to Singapore. Sead is a HubSpot-certified content creator.