The AVG Web TuneUp Chrome extension which it adds to Google Chrome browsers when users were installing the AVG antivirus has a feature which allows attackers to read the user’s browsing history and cookies.
The bug was spotted by Google Project Zero researcher Tavis Ormandy, who worked with AVG for the past two weeks to fix it. Apparently the AVG Web TuneUp extension, which lists over nine million users on its Chrome Web Store page, was vulnerable to trivial XSS (cross-site scripting) attacks.
He said that AVG’s developers appear to have forgotten to protect their users against simple cross-domain requests, allowing code hosted on one domain to be executed in the context of another URL.
It would mean that attackers would access to data stored on other websites, such as Gmail, Yahoo, banking websites. All that attackers had to do was to convince a user to access a malicious URL, which is not that tricky.
The extension tiggered HTTPS connections making websites hosted on HTTPS susceptible. For some reason the extension users end up with “SSL disabled.”
Version 188.8.131.52 of AVG Web TuneUp fixed this issue. In the meantime, Google blocked AVG’s ability to carry out inline installations of this extension. This means that users daft enough to want to install the extension have to go to the Chrome Web Store and trigger the download with a click.