As Ormandy wrote: “AVG submitted an extension with a “fix”, but the fix was obviously incorrect.” He had to provide instructions for how to fix this flaw, and AVG issued an updated patch a day later. “I hope the severity of this issue is clear to you, fixing it should be your highest priority.”įour days after it was reported, AVG had a patch. “My concern is that your security software is disabling web security for 9 million Chrome users, apparently so that you can hijack search settings and the new tab page,” he wrote to AVG.
AVG’s official description of the extension says it will “warn you of unsafe search results.”īack in December, Google-employed security researcher Tavis Ormandy discovered that the extension adds a large number of new JavaScript APIs to Chrome when it’s installed and that “many of the APIs are broken.” Aside from exposing your entire browsing history to any website you visit, the extension offered many security holes for websites to easily execute arbitrary code on any computer with the extension installed. According to the Chrome Web Store, it has nearly 10 million users. “AVG Web TuneUP” is installed when you install AVG antivirus. RELATED: Beware: Free Antivirus Isn't Really Free Anymore
Example 1: AVG Web TuneUP Broke Chrome’s Security
