The AVG Web TuneUp Chrome extension added to browsers with the installation of AVG antivirus, contained a critical bug that allowed attackers to obtain user browsing history, cookies, and more.
Η ευπάθεια ανακαλύφθηκε από τον ερευνητή ασφαλείας του Google Project Zero, Tavis Ormandy, who has been working with AVG for the past two weeks to fix the problem.
As Mr Ormandy said in his error report, the AVG Web TuneUp extension, which lists over nine millions χρήστες στη σελίδα του Chrome Web Store, ήταν ευάλωτη σε XSS (cross-site scripting) attacks.
Attackers who knew this security vulnerability were able to access user's cookies, browsing history, and various other details exposed through Chrome.
During his investigation, Mr Ormandy discovered that many of the custom JavaScript APIs added to Chrome by the extension are responsible for the error, allowing attackers to access personal information.
The new 4.2.5.169 version of AVG TuneUp Web resolves the issue. Meanwhile, Google blocks AVG from in-line installations of this extension. This means that users who want to install it should have it search the Chrome Web Store.