AVG has been forced to update its Web Tuneup add-on for Chrome after a Google security researcher found it could be exploited to gain access to the personal data of users.
Google researcher Tavis Ormandy wrote on a Google Security Research discussion forum that the Web Tuneup tool was “force-installed … when a user installs AVG anti-virus”, leading to some nine million active Chrome users.
“Apologies for my harsh tone, but I'm really not thrilled about this trash being installed for Chrome users,” Ormandy wrote in a letter to AVG.
“My concern is that your security software is disabling web security for 9 million Chrome users, apparently so that you can hijack search settings and the new tab page.”
Ormandy said that “multiple obvious attacks [were] possible” and enclosed a potential exploit that “steals cookies from avg.com … [and] also exposes browsing history and other personal data to the internet.”
AVG patched the extension and thanked Google for locating it in a brief statement to the BBC.
"The vulnerability has been fixed; the fixed version has been published and automatically updated to users,” AVG said.
Ormandy also noted that AVG would no longer be able to install the extension as part of its anti-virus suite “while the CWS [Chrome Web Store] team investigate possible policy violations.”