AVG Web Tuneup Extension Compromised Security For 9 Million Chrome Users

Security outfit AVG is catching some heat for a Chrome browser extension that left millions of users vulnerable to a variety of online attacks. Called "AVG Web TuneUp," it automatically gets installed into Chrome as part of AVG's antivirus product. That's problem number one. Problem number two is that it presented several potential security risks.

A developer for Google brought the attention to Google's Project Zero team, noting that the extension adds a bunch of JavaScript APIs to Chrome "apparently so that they can hijack search settings and the New Tab page." It appears as though AVG intentionally made the installation process complicated so that the extension could evade Chrome malware checks.

AVG Web TuneUp

"Many of the APIs are broken," said Tavis Ormandy, the developer who brought the issue to light. To demonstrate the problem, Ormandy uploaded an exploit that "steals cookies from AVG.com" and "exposes browsing history and other personal data to the Internet." He surmised that it's probably possible to turn the exploit into arbitrary code execution.

"Apologies for my harsh tone, but I'm really not thrilled about this trash being installed for Chrome users," Ormandy told AVG. "The extension is so badly broken that I'm not sure whether I should be reporting it to you as a vulnerability, or asking the extension abuse team to investigate if it's a PuP. Nevertheless, my concern is that your security software is disabling web security for 9 million Chrome users, apparently so that you can hijack search settings and the new tab page."

AVG's first attempt to fix the extension didn't go the distance to fully protect users from exploits. Two days later, AVG offered up a new version that appears to address the issues raised.

"We thank the Google Security Research Team for making us aware of the vulnerability with the Web TuneUp optional Chrome extension," AVG said in a statement. "The vulnerability has been fixed; the fixed version has been published and automatically updated to users."

Be that as it may, Project Zero has prohibited AVG from using inline installations while they investigate if any policy violations occurred.