Google Reveals AVG Bug; Slams It For Breach Of Users’ Security
Recently, it came to light that a free plug-in installed by the popular AVG Antivirus has bypassed the security of the tech giant's browser, Chrome. Google's security team has spotted that the said plug-in has overridden the safety features built into their browser, which led to them potentially exposing thousands of users' personal data and their browsing histories. The problem, according to the Amsterdam-based cybersecurity company, has already been addressed, but it is still facing repercussions because of it.
The issue started when Google's Tavis Ormandy noticed the problem and flagged the issue to his Project Zero team members on Dec. 15. The extension, which is called Web TuneUp, is a tool that is free to download from the tech company's Chrome store. The tool supposedly is made to provide protection against malicious websites and was accused to be force installed by AVG.
Usually, an in-line installation is done once a user gave his permission. However, what happened was that it was forced into the user in a way that Chrome's security checks that it usually employs for safety tests against malicious malware and plug-ins were broken. This forced consumers into installing the said tool without any way to opt out of it.
Because of this, Ormandy said that users' Internet history and their other personal data have been exposed and can be seen by other users, especially if they knew where to look or check online. He adds that it could also potentially let hackers spy on consumers' email and online activities, leaving the users vulnerable without any way to defend themselves.
Ormandy said that he has contacted AVG regarding the issue by sending what he describes as an angry email. On the email, he wrote that he apologizes for the note's angry tone but that they are not pleased with what the tool is doing to their Chrome users. According to Ormandy, the concern is towards their security tool's disabling the tech giant's web security for nine million of their Chrome users just so they can hijack the search settings and their new tab page. He also hopes that the severity of the issue is not dismissed but rather fixed and considered to be of highest priority.
AVG developers have quickly responded to the issue, but it has been revealed that despite the messages exchanged between the two companies, the Amsterdam-based company has failed in its initial attempt to fix the flaw. But just this Tuesday, it was known that AVG has finally completed a more secure patch for the problem. Ormandy has confirmed that a new version of the plug-in tool has fixed the issue.
The Amsterdam-based cybersecurity firm released a statement saying that it is thanking the tech giant's Security Research Team for informing it of the problems with its former Web TuneUp optional Chrome extension tool. The issue has been addressed with a fixed version that has since been published and automatically updated to all its consumers.
However, the issue between the two companies seems to be not resolved yet as Ormandy informs the security firm that it would be prevented from auto installing its new plug-in for its users as a consequence. Ormandy also said that it will continue to do so while their team investigates any possible policy violations that AVG might have committed.
The recent issue of AVG could be recalled to be its second problem this year. It could be recalled that earlier in March, Ensilo researchers have also flagged their Security 2015 program after finding a bug that makes it possible for hackers to add codes to Windows PCs that will disable the protection measures employed in the units by the tech company.