AVG Fixes Chrome Extension Flaw

Tuesday, January 5, 2016 @ 10:01 AM gHale

The AVG Web TuneUp Chrome extension had a serious flaw that allowed attackers to pull out the user’s browsing history and cookies.

The extension added into Google Chrome browsers when users were installing the AVG antivirus.

IE Ending Support for Older Versions
Chrome 47 Releases, Fixes Security Flaws
IE Continues Flawed Life, Edge Taking Over
Unsupported ICS: Not an Easy Upgrade

Google Project Zero researcher Tavis Ormandy, who worked with AVG for the past two weeks to fix the issue, discovered the vulnerability.

The AVG Web TuneUp extension, which lists over nine million users on its Chrome Web Store page, was vulnerable to trivial XSS (cross-site scripting) attacks, said Ormandy in a post.

Attackers aware of this problem would have been able to access a user’s cookies, browsing history, and various other details exposed via Chrome.

“This extension adds numerous JavaScript APIs to Chrome, apparently so that they can hijack search settings and the new tab page,” Ormandy said. “The installation process is quite complicated so that they [AVG] can bypass the Chrome [Store] malware checks, which specifically tries to stop abuse of the [Chrome] Extension API.”

During his research, Ormandy discovered many of the custom JavaScript APIs added to Chrome by this extension are responsible for the security issue, being broken or poorly written, allowing attackers access to personal details.

AVG’s developers fell victim to protecting against simple cross-domain requests, allowing code hosted on one domain to end up executed in the context of another URL.

Theoretically, this would give attackers access to data stored on other websites, such as Gmail, Yahoo, banking websites, and more of the bunch. All attackers had to do was to convince a user to access a malicious URL.

Websites hosted on HTTPS were also susceptible, Ormandy said users of this extension “have SSL disabled.”

Version of AVG Web TuneUp fixed this issue. Google blocked AVG’s ability to carry out inline installations of this extension. This means users who want to install the extension have to go to the Chrome Web Store and trigger the download with a click.