- Trump complains about his Twitter follower count to Jack Dorsey Tuesday 6:34 PM
- ‘Avengers: Endgame’ sticks the devastating landing—and gives you time to grieve Tuesday 5:00 PM
- Teen hits Apple with $1 billion lawsuit over alleged face recognition arrest Tuesday 4:48 PM
- John Cornyn tried to attack Patton Oswalt for his old tweets and failed miserably Tuesday 4:29 PM
- Logan Paul is selling a pillow of his dead dog—for a good cause Tuesday 4:04 PM
- Study: Too much Netflix, not enough ‘chill’ Tuesday 3:36 PM
- Pete Buttigieg under fire for saying incarcerated Americans shouldn’t be allowed to vote Tuesday 2:54 PM
- Vine’s co-founder is beta testing a new app called Byte Tuesday 2:51 PM
- Report: Joe Biden’s first 2020 fundraiser will be with a Comcast executive Tuesday 2:49 PM
- Netflix’s ‘Sabrina’ appears to have an art-copying problem (updated) Tuesday 2:47 PM
- People are crying over these cats’ window-sill romance Tuesday 2:27 PM
- The ‘I’m baby’ meme is all about being comforted Tuesday 2:24 PM
- Parody video totally nails what men are like on Tinder Tuesday 1:57 PM
- Twitch star AriLove latest woman to be arbitrarily banned for ‘sexually suggestive’ attire Tuesday 1:47 PM
- The 18 best Korean beauty sheet masks Tuesday 1:25 PM
Not so safe after all.
A plug-in for Google Chrome that promised to keep users safe has been doing exactly the opposite.
AVG, the maker of a popular Internet security software, offers users a free browser add-on called Web TuneUp. The service is intended to monitor search results and websites to ensure safe and secure browsing by warding off “hidden threats and trackers.”
Tavis Ormandy, a member of Google’s Project Zero team, found Web TuneUp to being something it didn’t advertise, as well: exposing the Internet history and personal data of its users.
Nine million people have Web TuneUp installed, in part because, according to Ormandy, it would “force install” to the browser when AVG AntiVirus was installed on a computer. This left users with no way to opt out of the extension, which was altering browser settings and bypassing Chrome’s built-in malware checks.
Flaws in the program left users exposed to potential man-in-the-middle attack through an insecure website, then eject malicious code into secure sites. The type of exploit would allow an attacker to potentially view a user’s emails and monitor other activities.
Ormandy first spotted the issue on December 15, posting it on the Google Security Research issues board and alerting AVG of the issue.
“Apologies for my harsh tone, but I’m really not thrilled about this trash being installed for Chrome users,” he wrote to AVG. “The extension is so badly broken that I’m not sure whether I should be reporting it to you as a vulnerability, or asking the extension abuse team to investigate if it’s a PuP [potentially unwanted program].”
After failing to properly address the situation in its initial fix, AVG provided a resolution to the issue nearly one week after first being made aware of it. A new version of the Web TuneUp extension, version 126.96.36.199, is now available with the fix.
AVG confirmed the resolution to the Daily Dot, stating, “We thank the Google Security Research Team for making us aware of the vulnerability with the Web TuneUp optional Chrome extension. The vulnerability has been fixed; the fixed version has been published and automatically updated to users.”
While AVG noted Web TuneUp is “optional,” one of the contentions about the extension is that it was automatically installing. It currently doesn’t automatically install, but that’s because Google no longer allows it to; inline installations for the plug-in have been disabled while it is investigated for policy violations.
AVG users should make sure if Web TuneUp is installed on their browser, that it is up to date to the latest and most secure version. The extension can be disabled or removed from the Extensions menu in Chrome. Users can also reset their new tab page and search settings, which Web TuneUp modifies, by going to Chrome’s Settings menu.
AJ Dellinger is a seasoned technology writer whose work has appeared in Digital Trends, International Business Times, and Newsweek. In 2018, he joined Gizmodo as the nights and weekend editor.