A plug-in for Google Chrome that promised to keep users safe has been doing exactly the opposite.
AVG, the maker of a popular Internet security software, offers users a free browser add-on called Web TuneUp. The service is intended to monitor search results and websites to ensure safe and secure browsing by warding off “hidden threats and trackers.”
Tavis Ormandy, a member of Google’s Project Zero team, found Web TuneUp to being something it didn’t advertise, as well: exposing the Internet history and personal data of its users.
Nine million people have Web TuneUp installed, in part because, according to Ormandy, it would “force install” to the browser when AVG AntiVirus was installed on a computer. This left users with no way to opt out of the extension, which was altering browser settings and bypassing Chrome’s built-in malware checks.
Flaws in the program left users exposed to potential man-in-the-middle attack through an insecure website, then eject malicious code into secure sites. The type of exploit would allow an attacker to potentially view a user’s emails and monitor other activities.
Ormandy first spotted the issue on December 15, posting it on the Google Security Research issues board and alerting AVG of the issue.
“Apologies for my harsh tone, but I’m really not thrilled about this trash being installed for Chrome users,” he wrote to AVG. “The extension is so badly broken that I’m not sure whether I should be reporting it to you as a vulnerability, or asking the extension abuse team to investigate if it’s a PuP [potentially unwanted program].”
After failing to properly address the situation in its initial fix, AVG provided a resolution to the issue nearly one week after first being made aware of it. A new version of the Web TuneUp extension, version 184.108.40.206, is now available with the fix.
AVG confirmed the resolution to the Daily Dot, stating, “We thank the Google Security Research Team for making us aware of the vulnerability with the Web TuneUp optional Chrome extension. The vulnerability has been fixed; the fixed version has been published and automatically updated to users.”
While AVG noted Web TuneUp is “optional,” one of the contentions about the extension is that it was automatically installing. It currently doesn’t automatically install, but that’s because Google no longer allows it to; inline installations for the plug-in have been disabled while it is investigated for policy violations.
AVG users should make sure if Web TuneUp is installed on their browser, that it is up to date to the latest and most secure version. The extension can be disabled or removed from the Extensions menu in Chrome. Users can also reset their new tab page and search settings, which Web TuneUp modifies, by going to Chrome’s Settings menu.