Google Researcher Finds Vulnerability in AVG Chrome Extension

Researcher Tavis Ormandy of the Project Zero security team at Google found a vulnerability in the AVG Web TuneUp Chrome extension. This would have made it possible for attackers to view all kinds of user information via APIs. The leak has now been repaired.

Ormandy reports in the description that the AVG extension bypasses existing malware protection measures when installed in Chrome. The program could then adjust search settings and set the page that the browser opens in a new tab. Ormandy wrote to AVG that “the extension is so broken that he doesn’t know whether to report it as a vulnerability or have it investigated as a potentially unwanted program.” This while the extension is intended to make browsing more secure and is said to be present in the browsers of approximately nine million users.

An attacker could intercept e-mail or perform a man-in-the-middle attack through the extension’s programming interfaces through cross-site scripting. The researcher also does not rule out the possibility that arbitrary code could have been executed remotely. The dialogue between Ormandy and AVG shows that the company is initially trying to close the leak with patches that offer virtually no solution. Only after some back-and-forth does AVG come up with a solution that, according to the researcher, is workable. Ormandy announced on Tuesday that an investigation is still underway into whether AVG violates the rules with the extension. The update would be available in version 4.2.5.169 of the extension.