A free plugin installed by AVG AntiVirus bypassed the security of Google’s Chrome browser, potentially exposing the browsing histories and other personal data of customers to the Internet.
The vulnerability, demonstrated in an exploit by a Google researcher earlier this year, has now been patched after initial stumbling attempts by AVG, according to a discussion of the bug in Google’s security research discussion list.
The flaw was uncovered by the search engine’s Tavis Ormandy, who works on Google’s security team. He explained that the software force installs a plugin in the Chrome browser without asking for the user’s permission.
In doing so, the software could expose the user’s personal details and internet history to criminals trawling the web for such details. The code could also let hackers spy on victims’ emails and other online activities, he said.
“The installation process is quite complicated so that they can bypass the chrome malware checks, which specifically tries to stop abuse of the extension API.
He added: “Anyway, many of the API’s are broken, the attached exploit steals cookies from avg.com. It also exposes browsing history and other personal data to the internet, I wouldn’t be surprised if it’s possible to turn this into arbitrary code execution.”
After discovering the problem, Ormandy wrote a letter to AVG, highlighting the issue and advising the company to fix the problem immediately.
“My concern is that your security software is disabling web security for nine million Chrome users, apparently so that you can hijack search settings and the new tab page,” he wrote.
“There are multiple obvious attacks possible, for example, here is a trivial universal xss in the ‘navigate’ API that can allow any website to execute script in the context of any other domain. For example, attacker.com can read email from mail.google.com, or corp.avg.com, or whatever else. I hope the severity of this issue is clear to you, fixing it should be your highest priority.”