Now Reading
AVG AntiVirus force-installed a Chrome extension called AVG Web TuneUp, which is critically vulnerable

AVG AntiVirus force-installed a Chrome extension called AVG Web TuneUp, which is critically vulnerable

by AshwinDecember 30, 2015

AVG Antivirus has been found to have force-installed a vulnerable Google Chrome extension called AVG Web TuneUp.

AVG Web TuneUp

The issue was reported by one of Google’s Project Zero researchers, Tavis Ormandy, at its Product Forums.

It is worth noting that Ormandy has reported several security issues in Antivirus products in the past, including some in ESET, Kaspersky, to name a few.

The AVG Web TuneUp extension was found to add many JavaScript API’s to the browser, which can be used to hijack Chrome’s search settings, and also the new tab page in the browser. AVG’s extension reportedly bypassed Chrome’s malware detection rules, and exposes the browsing history and other personal user data, which could then be used by an attacker to perform a remote code execution, or even a man in the middle attack.

Oddly enough, the extension is actually available from the Chrome Webstore, and users could have installed it on their own, instead of this forced-installation fiasco. Ormandy also reported that, according to the Webstore statistics, the extension has over 9 million active users, which means that the risk is much greater. And apparently there was no way to opt-out of the installation either.  The Google engineer, raised the issue with AVG, and wrote the following in an emailed statement to the company.

Apologies for my harsh tone, but I’m really not thrilled about this trash being installed for Chrome users. The extension is so badly broken that I’m not sure whether I should be reporting it to you as a vulnerability, or asking the extension abuse team to investigate if it’s a PuP.

Calling AVG’s own app trash, in an emailed statement to them was rather bold, but apparently the extension was so badly coded and vulnerable, which is why he probably used the words.

After the two held discussions over emails, it appears that the security firm has indeed corrected the issue with the Web TuneUp extension. The company has updated Web TuneUp to version, and published it at the Webstore, and has automatically updated existing installations of the same.

Regardless of this, it appears Google will block the auto-installation of the add-on by default, according to Ormandy’s report.

Inline installations are disabled while the CWS team investigate possible policy violations.

This refers to the bypassing technique used by the plugin, to circumvent the extension policies, put forth to developers by Google.

In contrast to this context, AVG had released a privacy centric Chrome Extension called, Crumble, back in April this year. It is still a good one though, and continues to have an excellent rating at the Chrome Webstore.