AVG Chrome Extension “Web TuneUp” Put 9 Million users at risk

The free Chrome browser extension, ‘Web TuneUp’ made and installed by Netherlands based AVG Antivirus has been unveiled as potentially security threat.

Over 9 million AVG users were exposed to the bug. The recently discovered vulnerability may have allowed the personal data and browsing history of its users to be exposed to the entire internet.

While the issue has now been fixed, according to this conversation in the Google-Security-Research forum, it took more than one attempt.

The exploit was discovered by Google Security researcher, Tavis Ormandy, who repeatedly then had to take AVG to task when their initial ‘fixes,’ literally seemed to only paper over the cracks of the issue without resolving the problem, which they eventually managed to accomplish.

Ormandy wrote:

“Apologies for my harsh tone, but I’m really not thrilled about this trash being installed for Chrome users…My concern is that your security software is disabling web security for nine million Chrome users, apparently so that you can hijack search settings and the new tab page…I hope the severity of this issue is clear to you, fixing it should be your highest priority.”

Details of how many of the 9 million AVG users who were using the Chrome extension may have had their information stolen are still unclear.

AVG Web TuneUp, is a plugin that is supposed to help protect users from online threats. Finding such a major security flaw highlighted by an outside source, especially by Google would have been embarrassing enough in itself; but for a company like AVG it can only have caused major embarrassment.

What has compounded AVG’s error is the fact the extension was force installed by AVG, meaning it overwrote Chrome’s built in security, and effectively bypassing Google’s own defences.

AVG has said that the issue was addressed and fixed before Christmas and that all ‘Web TuneUp’ users should now have automatically received a fixed and updated version.

“We thank the Google Security Research Team for making us aware of the vulnerability with the Web TuneUp optional Chrome extension…The vulnerability has been fixed; the fixed version has been published and automatically updated to users,” AVG said in a statement.

As part of the fall-out resulting from the AVG security issue, AVG will in future be prevented from being allowed to automatically install the extension for users.