The AVG Web TuneUp Chrome extension, forcibly added to Google Chrome browsers when users were installing the AVG antivirus, had a serious flaw that allowed attackers to get the user's browsing history, cookies, and more.
The vulnerability was discovered by Google Project Zero researcher Tavis Ormandy, who worked with AVG for the past two weeks to fix the issue.
AVG Web TuneUp vulnerable to a universal XSS
As Mr. Ormandy explains in his
bug report, the
AVG Web TuneUp extension, which lists over nine million users on its Chrome Web Store page, was vulnerable to trivial XSS (cross-site scripting) attacks.
Attackers aware of this problem would have been able to access a user's cookies, browsing history, and various other details exposed via Chrome.
"This extension adds numerous JavaScript APIs to Chrome, apparently so that they can hijack search settings and the new tab page," explains Mr. Ormandy. "The installation process is quite complicated so that they [AVG] can bypass the Chrome [Store] malware checks, which specifically tries to stop abuse of the [Chrome] Extension API."
