Security company AVG, well known for its free and commercial security products that offer a wide range of security related safeguards and services, has put millions of Chrome users at risk recently by breaking Chrome security in a fundamental way in one of its extensions for the web browser.
AVG, like many other security companies offering free products, is using different monetization strategies to earn revenue from its free offerings.
One part of the equation are getting customers to upgrade to paid versions of AVG and for a while , that was the only way things worked for companies like AVG.
The free version works fine on its own but is being used to advertise the paid version that is offering advanced features such as anti-spam or an enhanced firewall on top of that.
Security companies started to add other revenue streams to their free offerings, and one of the most prominent one in recent time involved the creation of browser extensions and the manipulation of the browser's default search engine, home page and new tab page that go along with it.
Customers who install AVG software on their PC get a prompt in the end to safeguard their browsers. A click on ok in the interface installs AVG Web TuneUp in compatible browsers with minimal user interaction.
The extension has more than 8 million users according to the Chrome Web Store (according to Google's own statistics nearly nine million).
Doing so changes the home page, new tab page and default search provider in the Chrome and Firefox web browser if installed on the system.
The extension that gets installed requests eight permissions including the permission to "read and change all data on all websites", "mange downloads", "communicate with cooperating native applications", "managing apps, extensions and themes", and changing home page, search settings and start page to a custom AVG search page.
Chrome notices the changes and will prompt users offering to restore settings to their previous values if the changes made by the extension were not intended.
Quite a few issues arise from installing the extension, for instance that it changes the startup setting to "open a specific page" ignoring the users choice (for instance to continue the last session).
If that is not bad enough, it is quite difficult to modify changed settings without disabling the extension. If you check the Chrome settings after installation and activation of AVG Web TuneUp, you will notice that you cannot modify home page, start parameters or search providers anymore.
The main reason why these changes are made is money, not user security. AVG earns when users make searches and click on ads on the custom search engine they have created.
A Google employee filed a bug report on December 15 stating that AVG Web TuneUp was disabling web security for nine million Chrome users. In a letter to AVG he wrote:
Apologies for my harsh tone, but I'm really not thrilled about this trash being installed for Chrome users. The extension is so badly broken that I'm not sure whether I should be reporting it to you as a vulnerability, or asking the extension abuse team to investigate if it's a PuP.
Nevertheless, my concern is that your security software is disabling web security for 9 million Chrome users, apparently so that you can hijack search settings and the new tab page.
There are multiple obvious attacks possible, for example, here is a trivial universal xss in the "navigate" API that can allow any website to execute script in the context of any other domain. For example, attacker.com can read email from mail.google.com, or corp.avg.com, or whatever else.
Bascially, AVG is putting Chrome users at risk through its extension which supposedly should make web browsing safer for Chrome users.
AVG responded with a fix several days later but it was rejected as it did not resolve the issue completely. The company tried to limit exposure by only accepting requests if the origin matches avg.com.
The issue with the fix was that AVG only verified if avg.com was included in the origin which attackers could exploit by using subdomains that included the string, e.g. avg.com.www.example.com.
Google's response made it clear that there was more at stake.
To be absolutely clear: this means that AVG users have SSL disabled.
AVG's second update attempt on December 21 was accepted by Google, but Google did disable inline installations for the time being as possible policy violations were investigated.
AVG put millions of Chrome users at risk, and failed to deliver a proper patch the first time which did not resolve the issue. That's quite problematic for a company that is trying to protect users from threats on the Internet and locally.
It would be interesting to see how beneficial, or not, all those security software extensions are that get installed alongside antivirus software. I would not be surprised if results came back that they do more harm than provide use to users.
Now You: Which antivirus solution are you using?
Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.
We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats (video ads) or subscription fees.
If you like our content, and would like to help, please consider making a contribution:
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.