Google discovered that security software for safe use of PC had serious vulnerability

Many people use security tools to safely use the Internet. Google researchers have discovered that one such security tool has a serious vulnerability.

Google finds AVG Chrome extension to bypass malware checks, possibly exposing browsing data

Security software maker founded in the Netherlands in 1991 "AVG"The security tool for browsers that can be used for free is provided by"AVG Web TuneUp"is. This is an extension that you can use with Windows XP, Vista, 7 Chrome and Firefox to speed up your browser, alert users to dangerous sites and block web trackers. In addition, "AVG Web TuneUp" seems to recommend "AVG Secure Search" of the same AVG provided search engine to the default search engine.

AVG security software | Antivirus software | Web TuneUp

About 9 million active users of this "AVG Web TuneUp" Chrome extension are used by around the world, but Google researcher Tavis Ormandy said that this featureCritical vulnerabilityWe found that there is.

According to Ormandy, AVG's anti-virus software "AVG Antivirus"Installing" AVG Web TuneUp "of Chrome extension will be forcibly installed. Google will block the Chrome extensions hosted outside the Chrome Web StoreImplementationHowever, when you install AVG Antivirus, multiple JavaScript APIs are added to Chrome, and this API will install "AVG Web TuneUp" by avoiding malware checks provided with Chrome.

"AVG Web TuneUp" sends the URL of the website the user is going to visit to AVG server and checks whether it is trying to browse a malicious site, but a malicious third party can use this information It is possible to steal clear, "Cross site scriptingIt was also pointed out that it could be the target of attacks like.

Based on these indications, AVG has made clear that it implemented an emergency bug fix. Tony Anscombe, who is responsible for security management at AVG, said: "Since we noticed the problem, we have worked on giving top priority to exposing fixes,"StatedSo I also revealed that I am reviewing the process of securing software safety. However, Ormandy said AVG's first fix is ​​"Man-in-the-middle attackThere is a fear that it will be subject to ".

ByDonnie Ray Jones

Overseas news media against a series of riotsNeowin"" AVG Web TuneUp "is an omnibly provided as a security tool, but in factSearch queryIt is profitable by distributing AVG Web TuneUp to its own site, "he said, criticizing the AVG Web TuneUp severely. Also AVG a few months agoChange privacy policyWe also pointed out that "We will sell the user's search history and queries to third parties" at that time, we have also changed items related to the use of users' personal information.

Please note that AVG's privacy policy can be checked from the following.

Privacy policy | We are all committed to protecting the privacy of our users | AVG

Will user data be shared?

Yes. However, the case and method of sharing depends on whether it is personal data or non-personal data. AVG shares non-personal data with third parties and may release aggregated information or anonymous information.

We will not sell or rent the user's personal information to third parties.

It is said that "We do not sell personal information of users", but it seems there is a possibility of sharing non-personal data with third parties. It seems that search histories and search queries belong to this non-personal data.

in Software,   Security, Posted by logu_ii