AVG putting millions of Chrome users at risk

Security company AVG, well known for its free and commercial security products that offer a wide range of security related safeguards and services, has put millions of Chrome users at risk recently by breaking Chrome security in a fundamental way in one of its extensions for the web browser.

AVG, like many other security companies offering free products, is using different monetization strategies to earn revenue from its free offerings.

One part of the equation are getting customers to upgrade to paid versions of AVG and for a while , that was the only way things worked for companies like AVG.

The free version works fine on its own but is being used to advertise the paid version that is offering advanced features such as anti-spam or an enhanced firewall on top of that.

avg web tuneup

Security companies started to add other revenue streams to their free offerings, and one of the most prominent one in recent time involved the creation of browser extensions and the manipulation of the browser's default search engine, home page and new tab page that go along with it.

Customers who install AVG software on their PC get a prompt in the end to safeguard their browsers. A click on ok in the interface installs AVG Web TuneUp in compatible browsers with minimal user interaction.

The extension has more than 8 million users according to the Chrome Web Store (according to Google's own statistics nearly nine million).

Doing so changes the home page, new tab page and default search provider in the Chrome and Firefox web browser if installed on the system.

The extension that gets installed requests eight permissions including the permission to "read and change all data on all websites", "mange downloads", "communicate with cooperating native applications", "managing apps, extensions and themes", and changing home page, search settings and start page to a custom AVG search page.

avg web tuneup permissions

Chrome notices the changes and will prompt users offering to restore settings to their previous values if the changes made by the extension were not intended.

Quite a few issues arise from installing the extension, for instance that it changes the startup setting to "open a specific page" ignoring the users choice (for instance to continue the last session).

If that is not bad enough, it is quite difficult to modify changed settings without disabling the extension. If you check the Chrome settings after installation and activation of AVG Web TuneUp, you will notice that you cannot modify home page, start parameters or search providers anymore.

chrome settings blocked

The main reason why these changes are made is money, not user security. AVG earns when users make searches and click on ads on the custom search engine they have created.

If you add to this that the company announced recently in a privacy policy update that it will collect and sell -- non identifiable -- user data to third-parties, you end up with a scary product on its own.

Security issue

A Google employee filed a bug report on December 15 stating that AVG Web TuneUp was disabling web security for nine million Chrome users. In a letter to AVG he wrote:

Apologies for my harsh tone, but I'm really not thrilled about this trash being installed for Chrome users. The extension is so badly broken that I'm not sure whether I should be reporting it to you as a vulnerability, or asking the extension abuse team to investigate if it's a PuP.

Nevertheless, my concern is that your security software is disabling web security for 9 million Chrome users, apparently so that you can hijack search settings and the new tab page.

There are multiple obvious attacks possible, for example, here is a trivial universal xss in the "navigate" API that can allow any website to execute script in the context of any other domain. For example, attacker.com can read email from mail.google.com, or corp.avg.com, or whatever else.

Bascially, AVG is putting Chrome users at risk through its extension which supposedly should make web browsing safer for Chrome users.

AVG responded with a fix several days later but it was rejected as it did not resolve the issue completely. The company tried to limit exposure by only accepting requests if the origin matches avg.com.

The issue with the fix was that AVG only verified if avg.com was included in the origin which attackers could exploit by using subdomains that included the string, e.g. avg.com.www.example.com.

Google's response made it clear that there was more at stake.

Your proposed code doesn't require a secure origin, that means it permits http:// or https:// protocols when checking the hostname. Because of this, a network man in the middle can redirect a user to http://attack.avg.com, and supply javascript that opens a tab to a secure https origin, and then inject code into it. This means that a man in the middle can attack secure https sites like GMail, Banking, and so on.

To be absolutely clear: this means that AVG users have SSL disabled.

AVG's second update attempt on December 21 was accepted by Google, but Google did disable inline installations for the time being as possible policy violations were investigated.

Closing Words

AVG put millions of Chrome users at risk, and failed to deliver a proper patch the first time which did not resolve the issue. That's quite problematic for a company that is trying to protect users from threats on the Internet and locally.

It would be interesting to see how beneficial, or not, all those security software extensions are that get installed alongside antivirus software. I would not be surprised if results came back that they do more harm than provide use to users.

Now You: Which antivirus solution are you using?

Summary
Article Name
AVG putting millions of Chrome users at risk
Description
AVG put millions of Google Chrome users at risk through a security extension that the company prompts users to install.
Author
Please share this article

Facebooktwittergoogle_plusredditlinkedinmail



Responses to AVG putting millions of Chrome users at risk

  1. wybo January 1, 2016 at 10:39 am #

    The last time I used AVG was at least 5 years ago. I started using Avira (free version) and never looked back. Happy with it but then I am a layman concerning those things. What i find curious though is that Avira does not use its own firewall but incorporates Windows's firewall in their AV system.
    I have always been wondering if that is a good thing.

    • John January 1, 2016 at 2:03 pm #

      I always considered Avira as one of the weakest AV's. For half the time I had to "salvage" a computer it was "protected" by Avira. Apparently its quite easy for malware makers to disable it.

      I give users Avast if they don't want to pay for it, for the renewance yearly is free, and only require registration. The ones that like a paid version, I give Eset Smart Security or Eset AntiVirus. (depending on their needs)

      • najodleglejszy January 1, 2016 at 9:01 pm #

        I've got recently an email from my brother-in-law with "send from PC protected by Avast" in signature. sketchy move imho.

      • Jason January 1, 2016 at 9:31 pm #

        "send from PC protected by Avast"

        Yup, a friend of mine sent me an email with that little extra as well. It's really lousy corporate practice.

      • wybo January 2, 2016 at 9:27 am #

        Personally I never had any problems with it.

        AV test for example rates it better than Avast.

        https://www.av-test.org/en/antivirus/home-windows/

  2. anohana January 1, 2016 at 11:20 am #

    I use AVG (Free and IS too) for a long time (~10 years). ATM I use with ZoneAlarm free firewall. I don't have problem with the product itself (it doesn't have high RAM or CPU usage), but this move and the information gathering (you can opt out, but the default is in, which is disgusting) make me to look after another product. I don't like how the company started acting. So yeah, it's time to say good bye to AVG. Any recommendation?

    I need something (maybe free) next to my ZoneAlarm free firewall (it's AV eats a lot of RAM).

  3. Pants January 1, 2016 at 11:21 am #

    I happen to use Avast. I could probably even do without an AV. I haven't had a virus since 1997-1998, btw. I have only ever had a few false positives. AV is about 30th on my list of stuff to have/do to secure my PC. Why piss around relyingn on catching shit once it's on your system, when you should be patching the giant holes that let it in. Still, its probably better to have an AV than not (depends on if it's collecting data on you for money, maybe). I'm not saying I'm immune, I could totally get a zero-day exploit. So I have Avast free, custom install, with all extras not installed, and then in settings I have disabled web protection and email protection, and tweaked some settings. I only use file protection. Why would I want any AV product near my email or web browsing, just so it can hijack certs, spy on me, inject adverts, and annoy the hell out of me with popups and noises. I'd rather take a red hot poker iron up the bum. Two even.

    • Crab January 1, 2016 at 6:45 pm #

      "Why would I want any AV product near my email or web browsing"

      Apropos of that, I uninstalled Avast the other day after years of using it, when I noticed the latest update was adding an advertising footer to outgoing webmail (yes, webmail, which it doesn't even scan). You can disable it in settings but it was on by default. I didn't even have the email module or browser extensions installed as far as I know. That makes it malware as far as I'm concerned.

  4. Gary D January 1, 2016 at 11:36 am #

    I had this problem on a Laptop last September. The user had installed AVG free. He could not use Google search and was having problems with Gmail. After trying to fix the problem for a couple of hours, I had a brain wave and checked Google extensions. There it was in the extensions and settings. I trashed the extension, reset the browser settings and AVG was gone. I had previously warned this user about clicking Next, Next, Next without reading tthe install wizard, which is what he had done.
    Some people will never listen and learn!

    • Pants January 1, 2016 at 11:55 am #

      Same (kind of) - at least 3 clients, with avast .. click next next next .. and suddenly all their web browsing is munted. You see my clients all have portable browsers and avast just screws them to pieces trying to hijack the traffic, it's like it can't handle the fact that some programs are on c drive or in /programs etc.

      And when I say munted, I mean to the point where the first time I encountered this (about 2 years ago) the first thing I was checked was ethernet cables, network connections, doing tests with the ISP, getting ports reset (the client had been having connection/speed issues recently as fiber was laid in the area, for about the previously 6 months - so that's where I went). And it was very similar - pages wouldn't load, maybe just the text, no styling - but I could use DNS and so on .. a real mix. Took me hours of mucking around with my tests and those of the ISP and so on.

  5. Ranko K January 1, 2016 at 11:50 am #

    avast free. there's even a free business version with online administration.

    never failed me.

  6. Croatoan January 1, 2016 at 12:01 pm #

    Comodo Firewall

  7. Bill January 1, 2016 at 12:50 pm #

    Vulnerability / total f**k up found in Chrome version, does this mean the IE and Firefox versions are 'safe'? Not that I'd use Web TuneUp / AVG, anyway.

  8. not_black January 1, 2016 at 1:03 pm #

    What's a good free AV these days? Tried avast but it was shit. And apparently AVG is fucked as well.

    • Anonymous January 5, 2016 at 4:55 am #

      BitDefender's free version is an excellent, nonintrusive antivirus solution that has worked well for me. While I think it requires registration (a simple sign-in to Google will do), it will actually protect your computer without using up too much power.

  9. Bill January 1, 2016 at 1:28 pm #

    Panda free AV gets good reviews, although I used Avast free for years without any problems.

    AVG was always popular with noobs but never did well in independent tests. Lately it's been doing a lot better in tests but screwing itself with crappy bloat.

  10. Mike J. January 1, 2016 at 2:41 pm #

    I use Avast free. I have used Avira in the past (it always does well in tests/reviews), but had a hard time getting it to update. I also use Private FW.

  11. Patrick January 1, 2016 at 3:19 pm #

    "You need the Panda Security Toolbar for full protection, but you may not want to set Yahoo as your default search provider, or set the Yahoo-powered MyStart as your home page. (Of course, bundles like these provide the income that lets Panda offer antivirus for freeā€¦)"

    http://www.pcmag.com/article2/0,2817,2463592,00.asp

    What is Panda Security Toolbar?
    Panda Security Toolbar is a Visicom toolbar installed in your Web browser that collects and stores information about your web browsing habits and sends this information to Visicom so they can suggest services or provide ads via the toolbar. - Read more at http://www.shouldiremoveit.com/Panda-Security-Toolbar-10348-program.aspx
    http://www.shouldiremoveit.com/Panda-Security-Toolbar-10348-program.aspx

    • Pants January 1, 2016 at 6:57 pm #

      Sexual Harassment Panda? Is that you?

  12. Vrai January 1, 2016 at 3:34 pm #

    Never liked AVG much. Gave up on Avast a while back after they started piling on more and more 'features' which just made it heavy, bloated, slow, and intrusive.

    I have been using Bitdefender Free and like it very much. The scanning engine may be last years model but the definitions are up to date. Very small footprint and stays out of the way. I would purchase the full version if I can figure out a way to turn off all the extra features I don't want, like email and web browsing filters.

    Windows built in firewall is fine for most users. No need for a third party firewall, especially when used in conjunction with the HOST file and Spyware Blaster.

  13. Michael Fisher January 1, 2016 at 4:21 pm #

    Happy New Year Martin!

  14. exrelayman January 1, 2016 at 4:24 pm #

    I use Bitdefender. In the past I have used Avira, Avast, AVG, Panda, and Windows Defender.
    I cannot attest to which catches viruses best, but can attest that all the others except Windows Defender pester me and also slow my boot time from 5 to 10 seconds more than Bitdefender does. They also slow up page load time in Firefox where Bitdefender does not.

    Windows Defender lets me boot even faster than Bitdefender, but is poorly rated and keeps pestering you to make an update which never properly updates.

    I back up Bitdefender with an occasional: Fsecure online scan, MalawareBytes scan, and Process Explorer scan using its Virus Total feature.

    While not strictly an anti-virus, the Firefox extension Flash Disable is good defense which lets you leave flash off all the time and click an icon in the address bar to activate when you need it.

    • Decent60 January 2, 2016 at 3:19 am #

      Been a long time BitDefender user and as you said, it loads up faster than Avira, Avast, AVG and Panda. The problem is, the others have "additional protection" that isn't included with BitDefender's basic AV (paid or free). Which is the main reason why they're slower to load up. Using Bitdefender Total Security (which is paid), you'll notice a slower boot time than just the regular Bitdefender. It's still faster than the other free ones.

      But I just like to note that while Fsecure and the Virus Total feature are types of AV programs, Malwarebytes isn't AV and does things completely different than any AV product will do (even the ones that 'protects' against malware).
      So it's a bit unfair to say that it's used for "backing up" Bitdefender, as it's another tool to do another specific job.
      Both are great products, don't get me wrong, just some people may think that it's a type of AV (and yes there are still plenty of people thinking that they just need Malwarebytes to handle all Virus and Malware needs).

      One thing I don't like about Bitdefender, is that its free edition states (and probably somewhere for the paid versions) "Unbreachable Security". Anyone in the tech world will not that's 100% BS but it gives people a false sense of security.

  15. stilofilos January 1, 2016 at 5:05 pm #

    I turned my back to AVG some ten years ago, don't remember why but it must have been a major issue for me to give up on protective software. Then tried Nod32 (quite ok) , and Avira and Avast that both crashed in updates and made the web management part of my system partly crash in the process. Also tried that Comodo browser-with-added-security, that appeared to be plain spyware itself.
    Since I had windows reinstalled after those misfortunes, I'm now surfing infection-free for a couple of years, without any 'anti-virus' thing.
    I only use Private Firewall (instead of that m$ thing, not besides it) in tandem with Superantispyware, that at the time started as 'anti-spyware' but meanwhile also blocks all objects that 'anti-virus' tools were made for (viruses, trojans, keyloggers, homepage hijackers, name them). OK, you need its pro version for real-time protection.
    Probably Firefox with uBlock-Origin, NoScript, Ghostery and BetterPrivacy are part of the success as well.
    As a second opinion, I do a scan every month or so with Spybot S&D that always 'congratulates' me with my clean system. And after reading your recent review of Kaspersky, I decided to try that out soon as well.
    It's ironical that such tools that boast protecting you against malware now use the same dirty tactics to trick people not in the know.

    • Decent60 January 2, 2016 at 3:33 am #

      Tbh, Kaspersky, NOD32 and Bitdefender are the top rated (and depending on which site does the testing/review, you'll get different positions for these, but all are in the top 3).
      It really comes down to preference. My buddy likes Kaspersky, I like Bitdefender (but my reason was due to Bitdefender actually stopping a virus I had from completely wiping out my system, but couldn't get rid of it, which was the only AV program that was able to do that much; tho that was 10 years ago), they both protect just as well, it's just the interfaces are different.
      Anymore it's about how you like how things ran. Try each one out, and get a feel for which one you like better, you can't really go wrong.

    • Corky January 2, 2016 at 9:42 am #

      Going on how long ago it was stilofilos i would guess you turned your back on AVG for the same reason i did all them years ago, it used to install the AVG browser toolbar and made other unwanted changes.

      I find most AV solutions these day to be almost as bad as getting infected with a virus or malware, most install so much unneeded rubbish when all most people want/need is a light weight realtime protection solution.

  16. jasray January 1, 2016 at 6:10 pm #

    "Bascially, AVG is putting Chrome users at risk through its extension which supposedly should make web browsing safer for Chrome users."

    AVG isn't doing anything other than marketing bundled software. If anyone follows Ghacks, or some other tech site, he/she has been warned multiple times to choose a custom install and deny requests for any software that is offered in addition to the ONE program desired. A quick check on this site--search bundled adware--shows the following list of articles:

    http://www.ghacks.net/?s=bundled+adware&submit=

    Anyone who receives a prompt that says--in black and white and capital letters--the installation of said additional program-extension changes a number of factors on one's computer and that user still allows the extension to be installed [and complains about Windows 10 privacy on the side] may be naive or intellectually challenged or perceptually handicapped:

    "The extension that gets installed requests eight permissions including the permission to "read and change all data on all websites", "mange downloads", "communicate with cooperating native applications", "managing apps, extensions and themes", and changing home page, search settings and start page to a custom AVG search page."

    Where, why, how is AVG responsible for someone making a decision to let a company take over a browser?

    No sympathy, here.

    • Jason January 1, 2016 at 9:37 pm #

      The complaint by the Google employee was not about AVG's browser-jacking. It was about the possibility of the browser-jacking being used for a man in the middle attack.

  17. anon January 1, 2016 at 8:28 pm #

    Windows Defender

  18. wonton January 1, 2016 at 11:40 pm #

    i am surprised people still use AVG after they added RAT (remote access tool) to there products that can be activated by them at any time while its under the terms "support" its something a security application should not have.

    for a security company they have done many shady things

  19. rickxs January 2, 2016 at 12:44 am #

    Bitdefender free----no nags no crap or ads ,full scan once a week , M/B as a 2nd scan

  20. dan January 2, 2016 at 8:52 am #

    I'm inclined to get a chromebook or cheap laptop and perform all internet facing activities off of an OS (linux) written on a write protected flash stick... or else use virtual machines and rebuild them weekly or monthly. There's no such thing as true protection anymore. Greed has turned everything to shit.

  21. smaragdus January 2, 2016 at 4:11 pm #

    Once I used Avira, then switched to AVG, then to Avast and now I use 360 Total Security. My major complaint against 360 Total Security are the heaps of false positives.

  22. A different Martin January 2, 2016 at 5:48 pm #

    I used AVG Free back in the XP era. I honestly don't remember what I used before that; I think I paid for something for a while.

    Then I switched to Microsoft Security Essentials during the brief time it was highly rated.

    When MSE plummeted in test results, I switched to Avast Free, maintaining a minimal install with only the AV itself and the Software Updater and possibly one other component I have forgotten. I was reasonably happy with Avast for a few years, except for the minor annoyance of too-frequent promotional pop-ups. (No, I take that back: I had extremely long boot times. In retrospect, it's quite possible I enabled boot-time scans, forgot about it, and didn't think to go back to disable them.)

    Then, after a recent Avast program update, some of my FreeFileSync batch jobs mysteriously started hanging during the synchronization phase, without leaving any clues in the Events logs. The same thing happened on a friend's system. I did some research and saw that "Avast's drivers" had reportedly had conflicts with FreeFileSync in the past. I switched my friend's and my computers from Avast Free to Avira Free, a minimal install on mine, the Full Monty on my friend's. The FreeFileSync problem went away.

    I'm still a newbie with Avira, so I can't really say what I think of it. I do appreciate that its promotional pop-ups are less frequent than Avast's.

    I supplement Avira with periodic on-demand scans with Malwarebytes Anti-Malware. I also get some protection from browser-mediated threats by using NoScript and Malwarebytes Anti-Exploit. I haven't gotten a bona fide malware infection for a long, long time (just stuff like false positives on some NirSoft utilities and PUP warnings for installers with OpenCandy, which I circumvent anyway), whereas most of my friends and relatives have had infections ranging from minor to catastrophic (requiring an OS reinstall). I doubt their browsing habits are any riskier than mine, and the biggest difference in our setups is that I use NoScript. NoScript can be a royal PITA on sites that want to run scripts from many different domains, but I have to credit it with keeping me relatively safe from private-sector bad guys.

    Regarding AVG Web TuneUp, that little pre-checked option that says "Auto-confirm browser changes required by AVG Web TuneUp" looks like a case for Unchecky ... if Unchecky can get in there to uncheck it.

  23. Anonymous January 2, 2016 at 7:02 pm #

    Use Norton Internet Security along with Webroot Secure Anywhere. Overkill?, perhaps, but never have been infected, and I use the internet every day.

    • pcninja January 3, 2016 at 12:47 pm #

      Norton!? WHY!?

  24. Randy January 3, 2016 at 2:34 am #

    I have used Bitdefender for many years, but in China Bitdefender and Avira has been blocked off and unable to properly update, Unless use the proxy.So this year I use the panda antivirus.

  25. S2015 January 3, 2016 at 4:09 am #

    1st, seems that AVG Web TuneUp is still a 1.0 product, as the official download@ http://download-toolbar.avg.com/partners/common/AVGWebTuneUp.exe (md5, de8bf3a375d9e6f1efac5af5e6374473) does not provide the "Product Version" info to us.
    2nd, for security, starters should not 100% rely on any virus protection, on proactive sense of security instead.

  26. Franco January 3, 2016 at 5:03 am #

    I used ESET NOD32 for years and watched it slowly deteriorate to the point where I could no longer trust it, so I switched to Bitdefender, then I found the Bitdefender offshoot eScan was usually slightly ahead in detection (albeit a little slower) so I switched to it and I have never looked back. I also use Malwarebytes.

    Microbe/Pro1/ESET Australia automatically charged my credit card for a renewal I did not want, with no warning, and it took 6 weeks to get a refund. I had to threaten them with legal action to get it refunded.

    • Mobi January 9, 2016 at 12:10 pm #

      ESET Australia company is sh*t.
      Scammers and Spammers.
      No more can be said.
      Avoid them.

  27. Dennis January 3, 2016 at 5:41 am #

    Hello, I bought and installed Kasperski and it seemed fine. Then my PC got slower and slower. It was scanning EVERYTHING that I tried to open. It was actually scanning itself and went into an endless loop where I could not even turn off the PC. I had a very difficult job removing it and there are still some remains in my system.
    Once a month I run HouseCall from PCcillin- Trend Micro systems. Seems to work OK for me as it is not on my computer and so can't be 'shut down' by a nasty. I have Avast now on my laptop and I have been very interested in some of the reports/replies. Makes me wonder if I should 1) Make a recovery point before every session on the computer. 2) Only connect to the web when absolutely necessary and 3) Scan and store everything onto my TB H/D. before closing down.
    It is getting to a stage of "Belt, Bracers, Bit of string, Sticky tape, and bandage." and then one of these virus hackers will invent a new "Scissors"
    Regards, Den.

  28. b January 3, 2016 at 12:31 pm #

    I've used G data for a year. They should be quite reliable regarding not leaking thirdparty information and is not that expensive. but then again: what do I know? I read this in a test.

  29. Tony C January 4, 2016 at 1:50 am #

    Never like AVG a bit and they always fools noob users installing unnecessary bloatware claims to be good into their computers. For example AVG PC Tune Up cause memory spike for no reason or probably the users ran the programs that change something in the Windows setting making the system run slower including crashes. I always stay away from their products ever since.

    For personal choice, i would definitely stick with Avira because of good detection rate. Of course AD pop up are annoying but its consume less memory resources and stable. in the end, I think all goes down with the users how they used the internet no matter how good the AV are.

  30. Corytek January 4, 2016 at 10:29 am #

    I have been using AVAST for at least seven years, on recommendation of a computer shop when my mom was buying a computer. I was sold on AVAST when it found 3 infected files on my computer which AVG had missed. My friend installed AVAST on his computer, and again found infected files which AVG had missed.

    I also run anti-spyware: THREATFIRE. I get system reports every month, and consistently, for any previous 90 days, no suspicious activity.

    Combined with the mentioned programs, I also run 5 security extensions / blockers in Firefox. I stopped using Chrome 2 years ago, because I am not too keen on their user tracking.

  31. Nik November 3, 2016 at 10:19 pm #

    I was an AVG reseller five years back. They have horrible customer service, you have to wonder if they even care who is using their software. My biggest beef came when they downgraded my reselling rights because I wasn't a qualified business distributor so they gave me the home plan to distribute crapware and hope someone buys their dog food. Also AVG and Avast are practically the same company just fyi. Better to go with something like Bit Defender and or Kaspersky free or paid.

Leave a Reply