If you’re using AVG Web TuneUp extension on Chrome, perhaps now is a good time to remove it. A bug report filed by a Google employee last month shows that the extension is disabling security for over 9 million Chrome users. This plugin is one of the most popular browser-based solution for internet security but the report shows it does the exact opposite of what it’s supposed to do.
The bug report available on Google security research website says:
This extension adds numerous JavaScript API’s to chrome, apparently so that they can hijack search settings and the new tab page. The installation process is quite complicated so that they can bypass the chrome malware checks, which specifically tries to stop abuse of the extension API.
Anyway, many of the API’s are broken, the attached exploit steals cookies from avg.com. It also exposes browsing history and other personal data to the internet, I wouldn’t be surprised if it’s possible to turn this into arbitrary code execution.
It is revealed that this extension is way too buggy, disables Chrome in-built security and hijacks the browser in so many ways. To make it even worse, over 9 million users are exposed. The Google employee said:
Nevertheless, my concern is that your security software is disabling web security for 9 million Chrome users, apparently so that you can hijack search settings and the new tab page.
There are multiple obvious attacks possible, for example, here is a trivial universal xss in the “navigate” API that can allow any website to execute script in the context of any other domain.
Although AVG has issued a patch immediately after the bug, Google denied it. Another update was issued on the 21st of last month but for now, inline installation has been disabled.
If you’re using this plugin, perhaps doing away with it for now is the best thing to do.
주몽 Innko Technologies 
Leave a comment