AVG puts Chrome users at risk with security-compromising browser extension, says Google

Requests permissions that mitigate attacks, reports Google employee

Web security firm AVG has come under fire from Google, accused of offering a Chrome browser extension that directly compromises security.

The ironic accusation came from an employee of Google Security Research, who reported AVG's "AVG Web TuneUp" Chrome extension - which apparently now has almost nine million active users - after concerns the extension could be used to remotely execute code, as well as publicly expose browsing history.

The extension is installed - by force, according to the Google employee - as part of AVG's standard security suite, which is available in both free and paid versions, and is effectively programmed to override Chrome's standard security processes in order to embed itself in Chrome.

"This extension adds numerous JavaScript APIs to chrome, apparently so that they can hijack search settings and the new tab page," said the Google employee, who originally filed his report on 15 December 2015.

"The installation process is quite complicated so that they can bypass the Chrome malware check, which specifically tries to stop abuse of the extension API.

"Anyway, many of the APIs are broken.... It also exposes browsing history and other personal data to the internet, I wouldn't be surprised if it's possible to turn this into arbitrary code execution."

Penning an email to AVG directly, the Google employee described the extension as "trash" that they were "not thrilled" to see being installed in the browsers of Chrome users, and "disabling web security for nine million" users.

Specifically, the Google employee talks about "multiple obvious attacks possible":

"For example, here is a trivial universal xss in the 'navigate' API that can allow any website to execute script in the context of any other domain. For example, attacker.com can read email from mail.google.com, or corp.avg.com, or whatever else. I hope the severity of this issue is clear to you, fixing it should be your highest priority."

A later post also summarises the Google employee's findings as confirming "AVG users have SSL disabled".

By 20 December, AVG had apparently provided a "fix" that whitelisted specific domains at AVG that can be used to execute code, apparently as a partial attempt to prevent anything with "www.avg.com" in the URL being potentially able to execute remote code.

As things stand, however, there are still concerns that a remaining XSS bug due to the extension means "all AVG users can have their banking, email, everything compromised, so it really needs to be well maintained and audited," the Google employee wrote on 29 December.

Back in October 2015, AVG was accused of introducing a new privacy policy that would sell personal user data to third parties. The company denied the accusations, but said that "in future [it] might".