Source: Ars Technica
AVG Web TuneUp, a plugin that was supposed to help protect users from online threats, was found to have a major security flaw that would expose users' browsing history and personal data to hackers.
The plugin works by sending addresses of sites visited by users to AVG's servers to check them against AVG's database of malicious sites. However, Google security researchers found that hackers could hijack this data by using a technique known as cross-site scripting.
What made matters worse was that the plugin was "force-installed" by AVG antivirus. As a result, Google said that about 9 million Chrome users were affected.
Google security researcher Tavis Ormandy then wrote to AVG saying:
Apologies for my harsh tone, but I'm really not thrilled about this trash being installed for Chrome users.
My concern is that your security software is disabling web security for nine million Chrome users, apparently so that you can hijack search settings and the new tab page.
I hope the severity of this issue is clear to you, fixing it should be your highest priority.
Fortunately, AVG has since updated the plugin to solve the problem. According to AVG, this vulnerability was fixed before Christmas and users should have automatically received the updated version. The plugin will now also not be force-installed for new users of AVG antivirus.
Source: Ars Technica, BBC
Our articles may contain affiliate links. If you buy through these links, we may earn a small commission.