Jump to content

Serious Exploit Found and Hopefully Fixed in AVG Web TuneUp Chrome Extension


Recommended Posts

Earlier this month a Google employee made an interesting discovery concerning the AVG Web TuneUp extension, that should be fixed now. This extension is force-installed alongside the AVG Antivirus and about nine million active Chrome users have it installed. It adds numerous JavaScript APIs to the browser with the apparent purpose of hijacking search settings and the new tab page, but many of the APIs are also badly written, so it can be exploited to get far more information. To demonstrate this, the Google employee wrote a few exploits to share with AVG when he reported the vulnerability.

Following his report, AVG put together a fix, but it was found to be lacking because it only checked that the origin of a message contains ".avg.com." As the Google employee pointed out in a second report, anyone can add that to their domain and because it does not check for a secure origin, it is vulnerable to man-in-the-middle attacks, effectively disabling SSL. In response, AVG issued another fix to the extension that whitelists only two AVG domains, which is still not ideal but it might be the best we get. Any XSS or mixed-content on those two domains has the necessary permissions to use the APIs, which also means that any bugs on those domains could be exploited, so the Google employee recommends a professional web audit to find and fix any such issues.

Version of the extension appears to have the final fix in it, so make sure you have been updated to at least that version. This story may not be over yet though, as Google investigates to see if any policy violations were made, as the complicated install process for the extension could get around Chrome malware checks.

Source: Google and HotHardware

Back to original news post

Share this post

Link to post
Share on other sites


  • Create New...