Google Project Zero researcher Tavis Ormandy discovered a vulnerability, since fixed, in AVG Web TuneUp, a Chrome extension that forcibly installs when users install the AVG antivirus software.
The extension, which has over 9 million active users, contains a serious flaw that exposes users' browsing history, cookies, and personal data to attackers.
Ormandy wrote in a follow-up response to the bug report Monday, “I believe this issue is resolved now, but inline installations are disabled while the CWS team investigate possible policy violations.”
SCMagazine.com obtained an email response from AVG. "We thank the Google Security Research Team for making us aware of the vulnerability with the Web TuneUp optional Chrome extension," wrote AVG. "The vulnerability has been fixed; the fixed version has been published and automatically updated to users.”