Google slams AVG for exposing Chrome user data with “security” plugin
A free plugin installed by AVG AntiVirus bypassed the security of Google’s Chrome browser, potentially exposing the browsing histories and other personal data of customers to the Internet. The vulnerability, demonstrated in an exploit by a Google researcher earlier this year, has now been patched after initial stumbling attempts by AVG, according to a discussion of the bug in Google’s security research discussion list.
AVG’s “Web TuneUp” tool is a free download from the Chrome Store intended to provide reputation-based protection against malicious websites, and it was “force-installed” by AVG AntiVirus. The install, an “in-line” installation, happened only with user permission, but was performed in a way that broke the security checks Chrome uses to test for malicious plugins and malware.
The plugin works by sending the Web addresses of sites visited by the user to AVG’s servers to check them against a database of known malicious sites. But the way the plugin was constructed meant that information could be easily exploited by an attacker through cross-site scripting [XSS], according to a post by Google Security researcher Tavis Ormandy on December 15.