SoylentNews

takyon [soylentnews.org] writes:

Google has prevented the automatic installation [theregister.co.uk] of AVG's Web TuneUp Google Chrome extension after conducting a Project Zero [wikipedia.org] audit that found the software compromised the security of its 9 million users:

Tavis Ormandy – a Google Project Zero researcher who has been auditing [theregister.co.uk] antivirus software – found the extension was riddled [google.com] with vulnerabilities. Web TuneUp [google.com] is automatically installed with AVG's antivirus package, and attempts to stop Chrome users from surfing to websites hosting malware. It is used by 9,050,432 people.

According to Ormandy, the extension leaked "browsing history and other personal data to the internet." Malicious websites could exploit the toolbar's programming blunders to access other websites a user was logged into. In other words, a script running on a webpage in a tab could invisibly access, say, mail.google.com as the user, and hijack the victim's webmail inbox. And, we're told, man-in-the-middle miscreants could abuse Web TuneUp to inject any JavaScript they liked into webpages fetched over the network, effectively rendering any SSL encryption useless.

"Apologies for my harsh tone, but I'm really not thrilled about this trash being installed for Chrome users," Ormandy told AVG's engineers in his security bug report. "The extension is so badly broken that I'm not sure whether I should be reporting it to you as a vulnerability, or asking the extension abuse team to investigate if it's a PuP [potentially unwanted program aka malware]."

AVG nuked the reported vulnerabilities in version 4.2.5.169 of Web TuneUp, which was released last week, we're told. However, it is understood AVG is no longer allowed to install the extension automatically – it must be fetched manually from the Chrome Web Store if users really want it – and that the store team is investigating the widget for "possible policy violations."

Original Submission