- Southwest Airlines passengers receive free Nintendo Switch consoles and Mario Maker 2 Wednesday 9:10 PM
- The Deplorable Choir drops diss track aimed at 4 congresswomen from Trump’s racist tweets Wednesday 8:09 PM
- Florida city is pushing homeless people out by playing ‘Baby Shark’ on a loop Wednesday 7:27 PM
- A ‘Gossip Girl’ reboot is coming to HBO Max–and fans are not happy with the casting details Wednesday 6:44 PM
- Beto can’t leverage his slave owner ancestry to gain Black voters’ trust Wednesday 5:51 PM
- Oakland to become the third U.S. city to ban facial recognition Wednesday 5:50 PM
- ‘Release the Snyder Cut’ billboards pop up outside of San Diego Comic-Con Wednesday 5:24 PM
- Iggy Azalea and Peppa Pig have an epic Twitter fight Wednesday 4:39 PM
- Should you be concerned about your privacy on FaceApp? Wednesday 4:15 PM
- Google ‘terminates’ Dragonfly, its censored search engine for China Wednesday 3:33 PM
- AOC rips Facebook during Libra House hearing Wednesday 3:14 PM
- The time traveler conversation meme finds its way to TikTok Wednesday 2:52 PM
- Grimes claims she had an ‘experimental’ eye surgery and practices sword fighting Wednesday 2:42 PM
- 70 Border Patrol employees under investigation for posts in secret Facebook group Wednesday 1:45 PM
- Republican’s Operation Safe Return criticized as cover for mass deporation Wednesday 1:42 PM
Not so safe after all.
A plug-in for Google Chrome that promised to keep users safe has been doing exactly the opposite.
AVG, the maker of a popular Internet security software, offers users a free browser add-on called Web TuneUp. The service is intended to monitor search results and websites to ensure safe and secure browsing by warding off “hidden threats and trackers.”
Tavis Ormandy, a member of Google’s Project Zero team, found Web TuneUp to being something it didn’t advertise, as well: exposing the Internet history and personal data of its users.
Nine million people have Web TuneUp installed, in part because, according to Ormandy, it would “force install” to the browser when AVG AntiVirus was installed on a computer. This left users with no way to opt out of the extension, which was altering browser settings and bypassing Chrome’s built-in malware checks.
Flaws in the program left users exposed to potential man-in-the-middle attack through an insecure website, then eject malicious code into secure sites. The type of exploit would allow an attacker to potentially view a user’s emails and monitor other activities.
Ormandy first spotted the issue on December 15, posting it on the Google Security Research issues board and alerting AVG of the issue.
“Apologies for my harsh tone, but I’m really not thrilled about this trash being installed for Chrome users,” he wrote to AVG. “The extension is so badly broken that I’m not sure whether I should be reporting it to you as a vulnerability, or asking the extension abuse team to investigate if it’s a PuP [potentially unwanted program].”
After failing to properly address the situation in its initial fix, AVG provided a resolution to the issue nearly one week after first being made aware of it. A new version of the Web TuneUp extension, version 188.8.131.52, is now available with the fix.
AVG confirmed the resolution to the Daily Dot, stating, “We thank the Google Security Research Team for making us aware of the vulnerability with the Web TuneUp optional Chrome extension. The vulnerability has been fixed; the fixed version has been published and automatically updated to users.”
While AVG noted Web TuneUp is “optional,” one of the contentions about the extension is that it was automatically installing. It currently doesn’t automatically install, but that’s because Google no longer allows it to; inline installations for the plug-in have been disabled while it is investigated for policy violations.
AVG users should make sure if Web TuneUp is installed on their browser, that it is up to date to the latest and most secure version. The extension can be disabled or removed from the Extensions menu in Chrome. Users can also reset their new tab page and search settings, which Web TuneUp modifies, by going to Chrome’s Settings menu.
AJ Dellinger is a seasoned technology writer whose work has appeared in Digital Trends, International Business Times, and Newsweek. In 2018, he joined Gizmodo as the nights and weekend editor.