Welcome Stranger to OCC!Login | Register

Serious Exploit Found and Hopefully Fixed in AVG Web TuneUp Chrome Extension

Category: Internet
Posted: 08:29AM
Author:

Earlier this month a Google employee made an interesting discovery concerning the AVG Web TuneUp extension, that should be fixed now. This extension is force-installed alongside the AVG Antivirus and about nine million active Chrome users have it installed. It adds numerous JavaScript APIs to the browser with the apparent purpose of hijacking search settings and the new tab page, but many of the APIs are also badly written, so it can be exploited to get far more information. To demonstrate this, the Google employee wrote a few exploits to share with AVG when he reported the vulnerability.

Following his report, AVG put together a fix, but it was found to be lacking because it only checked that the origin of a message contains ".avg.com." As the Google employee pointed out in a second report, anyone can add that to their domain and because it does not check for a secure origin, it is vulnerable to man-in-the-middle attacks, effectively disabling SSL. In response, AVG issued another fix to the extension that whitelists only two AVG domains, which is still not ideal but it might be the best we get. Any XSS or mixed-content on those two domains has the necessary permissions to use the APIs, which also means that any bugs on those domains could be exploited, so the Google employee recommends a professional web audit to find and fix any such issues.

Version 4.2.5.169 of the extension appears to have the final fix in it, so make sure you have been updated to at least that version. This story may not be over yet though, as Google investigates to see if any policy violations were made, as the complicated install process for the extension could get around Chrome malware checks.

Source: Google and HotHardware



Register as a member to subscribe comments.

This news has comment postings disabled because it is now archived.

© 2001-2017 Overclockers Club ® Privacy Policy
Elapsed: 0.0983510017   (xlweb1)