The Flat Earth Society

Other Discussion Boards => Technology & Information => Topic started by: xasop on December 29, 2015, 07:09:28 AM

Title: AVG AntiVirus force-installs vulnerable Chrome extension
Post by: xasop on December 29, 2015, 07:09:28 AM

A report has been published of multiple vulnerabilities (https://code.google.com/p/google-security-research/issues/detail?id=675) in a Chrome extension installed by AVG AntiVirus. The bug report linked is somewhat technical, but until a week ago, this basically allowed any website you visit to access any other pages you may have open, your browsing history, and probably more.

A fix provided a week ago by AVG reduces this vulnerability to hijacking via XSS vulnerabilities on AVG's own website, which appear to be fairly easy to find. In other words, completely owning your Chrome session has gone from trivial to very easy.

In summary, this allows an attacker to very easily gain access to any web-based e-mail, banking and other sensitive and/or financial services you use.

Any AVG users probably want to permanently uninstall their software and make sure the "Web TuneUp" Chrome extension is removed as well.

Title: Re: AVG AntiVirus force-installs vulnerable Chrome extension
Post by: Lord Dave on December 29, 2015, 07:22:59 AM

Welp.... Glad I stick with bit defender.

Title: Re: AVG AntiVirus force-installs vulnerable Chrome extension
Post by: Misero on December 31, 2015, 02:35:23 PM

Avast!