Vulnerability in Chrome Extension of AVG puts 9m Users Personal Data in Danger

Tavis Ormandy, Security Researcher for Google's Project Zero after working for the last couple of weeks with AVG found a security flaw inside the Chrome Extension of AVG. He found that the Chrome extension namely Web TuneUp of AVG by force appends to the Chrome Web-browser of Google whenever computer-operators load AVG's anti-virus. The vulnerability is severe as it lets attackers to access browsing history of the end-user, his cookies along with other stuff, reported softpedia.com, December 29, 2015.

The computer tool "Web TuneUp" from AVG can be downloaded free of cost from Chrome Store while it's programmed for giving high-quality safeguard from malevolent websites. The tool is loaded compulsorily through AVG Anti-Virus. If users give their consent, only then an "in-line" loading takes place. However, the loading happens in a manner which stalls Chrome utilized security checks that examine for malware and malevolent plug-ins.

And just like Ormandy elaborated Web TuneUp that contains a catalog of 9m-and-more end-users on AVG's web-page for Chrome Web-Store had trivial Cross-Site Scripting (XSS) vulnerability. Cyber-criminals having knowledge of this issue could easily gain access to an end-user's browsing history, cookies along with very many other details leaked out through Chrome.

Ormandy, who wrote a bug report, further elaborated that the Chrome Extension incorporated plentiful JavaScript APIs into the browser, for allegedly enabling them to compromise search configurations as well as the fresh tab-page. The loading procedure was pretty complex in order that they could circumvent all of the malware detectors in Chrome that particularly tried halting exploitation of API extension.

When Ormandy was doing his research, he found that several JavaScript APIs that were customized and included into Chrome through the extension were behind the vulnerability getting poorly written or broken, thus letting the attackers gain admission into personal data. Unfortunately, the creators of AVG failed or overlooked for safeguarding their end-users from straightforward cross-domain requests, letting module harbored on any particular domain towards getting run within another URL's context.

Actually, the result would be that attackers would gain admission into data from Yahoo, Gmail, banking or other websites via just convincing the end-user into clicking a malevolent URL.

» SPAMfighter News - 1/4/2016