AVG Chrome extension exploit patched by company, stole cookies and exposed personal data
AVG has fixed an exploit in its AVG Chrome extension that stole cookies, exposed personal web browsing history, read personal email, along with other secret data of antivirus users. The Chrome extension, called AVG Web TuneUp, is installed the moment a person downloads the AVG antivirus software onto his or her computer or mobile device. The AVG Chrome problem was reported on December 15th by Google to the antivirus company:
“When a user installs AVG AntiVirus, a Chrome extension called ‘AVG Web TuneUp’ with extension id chfdnecihphmhljaaejmgoiahnplgn is force-installed. I see from the webstore statistics it has nearly 9 million active Chrome users. This extension adds numerous Javascript API’s to chrome apparently so that they can hijack search settings and new tab page. The installation process is quite complicated so that they can bypass the chrome malware checks, which specifically tries to stop abuse of the extension API.
Anyway, many of the API’s are broken, the attached exploit steals cookies from avg.com. It also exposes browsing history and other personal data to the internet. I wouldn’t be surprised if it’s possible to turn this into arbitrary code execution.”
The Google team also stated that the AVG Chrome exploit would be reported to the public if AVG didn’t patch it up within 90 days. AVG wrote back to Google, stating that “It has now reached the proper personnel in AVG.” The company has since fixed the AVG Chrome exploit but the damage has already been done for AVG users.
It’s a real shame that an antivirus company could be guilty of such an exploit. How can a company that is meant to protect users from viruses and theft have such a major software exploit in its AVG Chrome extension – considering that Chrome is used by over 800 million users now worldwide? Chrome is a popular mobile web browser, which means that millions and millions of users are subject to hacking attacks and identity theft at the hands of malicious hackers who only want to hijack systems and servers for their own purposes.
The AVG Chrome extension exploit is unfortunate, but it just goes to show that those in authority should do more to protect our data. It is unfair to provide antivirus and antitheft services, only to leave user data open in such a way that the services AVG provides would do little good (in the event of a hack event). If companies really want to protect our user data, then exploits like this should never remain vulnerable and open for so long. Google did well to get into the matter and bring AVG to fix the issue within 90 days, but 90 days is still too long for exploits to remain open; these types of reports should be made known within 3 days so that users can take the appropriate steps they need.
My best advice about the AVG Chrome extension exploit? If this disturbs you, and you are to be applauded if it does, leave AVG and go to a much better antivirus provider such as Avast Mobile. I’ve had some unpleasant experiences with AVG myself, including an encounter with representatives who couldn’t speak English and transferred me to a water company instead of the proper division to help with my antivirus issues. I was recommended Avast Mobile by a Verizon representative, and haven’t looked back to AVG ever since. I’ve never had a problem with Avast, and, compared to AVG, you won’t either.
If this teaches us anything, it’s that you should protect yourself with several layers, one of the most important being an excellent VPN. Don’t hesitate to head over to our top picks over here.