This site may earn affiliate commissions from the links on this page. Terms of use

AVG Antivirus has been a popular security suite for more than a decade. The company claims more than 200 million active devices, including 100 million mobile installations. Over the past few years, the company has come under increasing fire for installing its AVG SafeSearch toolbar without permission, and announcing that it would sell consumer data to advertisers. Now, the company may have finally gone too far, thanks to an enormous bug in its AVG Web TuneUp software that fundamentally broke security for Google Chrome users.

On December 15, Google Security researcher Tavis Ormandy filed a bug report with AVG, noting that the software:

“[A]dds numerous JavaScript API’s to chrome, apparently so that they can hijack search settings and the New Tab page. The installation process is quite complicated so that they can bypass the Chrome malware checks, which specifically tries to stop abuse of the extension API.”

Ormandy followed up the bug report with a self-described angry email sent directly to AVG. In it, Ormandy writes:

“I’m really not thrilled about this trash being installed for Chrome users. The extension is so badly broken that I’m not sure whether I should be reporting it to you as a vulnerability, or asking the extension abuse team to investigate if it’s a PuP [potentially unwanted program].

Nevertheless, my concern is that your security software is disabling web security for 9 million Chrome users, apparently so that you can hijack search settings and the new tab page.

There are multiple obvious attacks possible, for example, here is a trivial universal xss in the ‘navigate’ API that can allow any website to execute script in the context of any other domain.” (The relevant code samples can be viewed at the initial bug report.)

AVG released a broken patch for the problem on December 19, which Google promptly rejected. The company revised its patch again, but as of December 28, Google is reviewing the extension to determine if AVG will be allowed to offer it at all.

A review of the most recent anti-virus comparisons at AV-Comparatives shows AVG’s anti-virus performing at the top of the heap. The same cannot be said, however, for the foistware that the company has taken to pushing at its users. A litany of user complaints have erupted in recent years, most of which say the same things: AVG’s supplementary software — Web TuneUp, SafeSearch, and the like — are security disasters and rampantly disliked.

The fact that the company now wants to sell consumer data (the information above is from AVG itself) may just be the last straw for many users. AVG has traded actual due diligence for pushing users towards products that don’t function while selling the data of its userbase.