Patch/Configuration Management, Vulnerability Management

AVG’s Chrome extension exposes personal data of 9 million users

Google Project Zero researcher Tavis Ormandy discovered a vulnerability, since fixed, in AVG Web TuneUp, a Chrome extension that forcibly installs when users install the AVG antivirus software.

The extension, which has over 9 million active users, contains a serious flaw that exposes users' browsing history, cookies, and personal data to attackers.

“This extension adds numerous JavaScript API's to chrome, apparently so that they can hijack search settings and the new tab page,” wrote Ormandy in the bug report. “The installation process is quite complicated so that they can bypass the chrome malware checks, which specifically tries to stop abuse of the extension API.”

Ormandy was involved in the discovery of vulnerabilities in Kaspersky's anti-virus product in September and a critical vulnerability in FireEye network security devices earlier this month.

Ormandy wrote in a follow-up response to the bug report Monday, “I believe this issue is resolved now, but inline installations are disabled while the CWS team investigate possible policy violations.”

SCMagazine.com obtained an email response from AVG. "We thank the Google Security Research Team for making us aware of the vulnerability with the Web TuneUp optional Chrome extension," wrote AVG. "The vulnerability has been fixed; the fixed version has been published and automatically updated to users.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.