Security company AVG, well known for its free and commercial security products that offer a wide range of security related safeguards and services, has put millions of Chrome users at risk recently by breaking Chrome security in a fundamental way in one of its extensions for the web browser.

AVG, like many other security companies offering free products, is using different monetization strategies to earn revenue from its free offerings.

One part of the equation are getting customers to upgrade to paid versions of AVG and for a while , that was the only way things worked for companies like AVG.

The free version works fine on its own but is being used to advertise the paid version that is offering advanced features such as anti-spam or an enhanced firewall on top of that.

Security companies started to add other revenue streams to their free offerings, and one of the most prominent one in recent time involved the creation of browser extensions and the manipulation of the browser's default search engine, home page and new tab page that go along with it.

Customers who install AVG software on their PC get a prompt in the end to safeguard their browsers. A click on ok in the interface installs AVG Web TuneUp in compatible browsers with minimal user interaction.

The extension has more than 8 million users according to the Chrome Web Store (according to Google's own statistics nearly nine million).

Doing so changes the home page, new tab page and default search provider in the Chrome and Firefox web browser if installed on the system.

The extension that gets installed requests eight permissions including the permission to "read and change all data on all websites", "mange downloads", "communicate with cooperating native applications", "managing apps, extensions and themes", and changing home page, search settings and start page to a custom AVG search page.

Chrome notices the changes and will prompt users offering to restore settings to their previous values if the changes made by the extension were not intended.

Quite a few issues arise from installing the extension, for instance that it changes the startup setting to "open a specific page" ignoring the users choice (for instance to continue the last session).

If that is not bad enough, it is quite difficult to modify changed settings without disabling the extension. If you check the Chrome settings after installation and activation of AVG Web TuneUp, you will notice that you cannot modify home page, start parameters or search providers anymore.

The main reason why these changes are made is money, not user security. AVG earns when users make searches and click on ads on the custom search engine they have created.

If you add to this that the company announced recently in a privacy policy update that it will collect and sell -- non identifiable -- user data to third-parties, you end up with a scary product on its own.

Security issue

A Google employee filed a bug report on December 15 stating that AVG Web TuneUp was disabling web security for nine million Chrome users. In a letter to AVG he wrote:

Apologies for my harsh tone, but I'm really not thrilled about this trash being installed for Chrome users. The extension is so badly broken that I'm not sure whether I should be reporting it to you as a vulnerability, or asking the extension abuse team to investigate if it's a PuP. Nevertheless, my concern is that your security software is disabling web security for 9 million Chrome users, apparently so that you can hijack search settings and the new tab page. There are multiple obvious attacks possible, for example, here is a trivial universal xss in the "navigate" API that can allow any website to execute script in the context of any other domain. For example, attacker.com can read email from mail.google.com, or corp.avg.com, or whatever else.

Bascially, AVG is putting Chrome users at risk through its extension which supposedly should make web browsing safer for Chrome users.

AVG responded with a fix several days later but it was rejected as it did not resolve the issue completely. The company tried to limit exposure by only accepting requests if the origin matches avg.com.

The issue with the fix was that AVG only verified if avg.com was included in the origin which attackers could exploit by using subdomains that included the string, e.g. avg.com.www.example.com.

Google's response made it clear that there was more at stake.

Your proposed code doesn't require a secure origin, that means it permits http:// or https:// protocols when checking the hostname. Because of this, a network man in the middle can redirect a user to http://attack.avg.com, and supply javascript that opens a tab to a secure https origin, and then inject code into it. This means that a man in the middle can attack secure https sites like GMail, Banking, and so on. To be absolutely clear: this means that AVG users have SSL disabled.

AVG's second update attempt on December 21 was accepted by Google, but Google did disable inline installations for the time being as possible policy violations were investigated.

Closing Words

AVG put millions of Chrome users at risk, and failed to deliver a proper patch the first time which did not resolve the issue. That's quite problematic for a company that is trying to protect users from threats on the Internet and locally.

It would be interesting to see how beneficial, or not, all those security software extensions are that get installed alongside antivirus software. I would not be surprised if results came back that they do more harm than provide use to users.

Now You: Which antivirus solution are you using?

Summary Article Name AVG putting millions of Chrome users at risk Description AVG put millions of Google Chrome users at risk through a security extension that the company prompts users to install. Author Martin Brinkmann

Advertisement