AVG AntiVirus "force-installed" Chrome plugin that left browsing data vulnerable
A free plugin installed by AVG AntiVirus bypassed the security of Google's Chrome browser, potentially exposing the browsing histories and other personal data of customers to the Internet. The vulnerability, demonstrated in an exploit by a Google researcher earlier this year, has now been patched after initial stumbling attempts by AVG, according to a discussion of the bug in Google's security research discussion list.
AVG's "Web TuneUp" tool is a free download from the Chrome Store intended to provide reputation-based protection against malicious websites, and it was "force-installed" by AVG AntiVirus in a way that broke the security checks Chrome uses to test for malicious plugins and malware. The plugin works by sending the Web addresses of sites visited by the user to AVG's servers to check them against a database of known malicious sites. But the way the plugin was constructed meant that information could be easily exploited by an attacker through cross-site scripting [XSS], according to a post by Google Security researcher Tavis Ormandy on December 15.
"This extension adds numerous JavaScript API's to Chrome, apparently so that they can hijack search settings and the new tab page," Ormandy wrote. "The installation process is quite complicated so that they can bypass the chrome malware checks, which specifically tries to stop abuse of the extension API. Anyway, many of the API's are broken."
Ormandy attached a proof-of-concept exploit that stole the authentication cookies from AVG's website, which "also exposes browsing history and other personal data to the internet." Ormandy added, "I wouldn't be surprised if it's possible to turn this into arbitrary code execution."
Ormandy then sent what he described as an "angry e-mail" to AVG about the bugs. "Apologies for my harsh tone, but I'm really not thrilled about this trash being installed for Chrome users," he wrote to AVG. "The extension is so badly broken that I'm not sure whether I should be reporting it to you as a vulnerability, or asking the extension abuse team to investigate if it's a PuP [Potentially unwanted Program]. Nevertheless, my concern is that your security software is disabling web security for 9 million Chrome users, apparently so that you can hijack search settings and the new tab page."
AVG's developers quickly turned around a fix, but all it did was try to "whitelist" requests only from hosts that contained the string "avg.com" in their name. Malicious websites that used avg.com in their names (such as the example provided on Ormandy's response, https://www.avg.com.www.attacker.com) could still spoof the AVG servers, and attackers could still use a man-in-the-middle attack to pass malicious JavaScript back to a victim—regardless of whether the connection was secure or not. And, as Ormandy noted, "Any XSS on avg.com can be used to compromise Chrome users"—a quick search of AVG's sites found plenty of opportunity for such attacks.
As of December 28, AVG had completed a more secure patch, but installations of the plugin were still frozen while Google's Chrome Web Store team investigated possible policy violations by AVG—violations that could get AVG kicked off the Chrome Store completely.
Ars has reached out to Google and AVG for further comment but received no response as of yet. In a statement sent to the BBC, an AVG spokesperson said, "We thank the Google Security Research Team for making us aware of the vulnerability with the Web TuneUp optional Chrome extension. The vulnerability has been fixed; the fixed version has been published and automatically updated to users." It's not clear whether that automatic update will work, however, given Google's current block on automatic installs of the plugin.
No comments:
Post a Comment
Note: only a member of this blog may post a comment.