Millions of Chrome users’ data at stake due to AVG Web TuneUp free tool

AVG Web TuneUp is a free tool to protect PCs from malware and web trackers. Unfortunately, the tool that was meant to ward off malware itself contained a flaw that put the data of millions of Chrome users at stake.

As reported recently by BBC News, Google’s security team spotted that AVG Web TuneUp was overriding the safety features built into the Chrome browser. This issue was brought to notice by Google’s Tavis Ormandy to other members of his Project Zero team on December 15th.

AVG Web TuneUp

What did AVG Web TuneUp do?

As per his observation, when a user installs AVG AntiVirus, AVG Web TuneUp is ‘forced’ installed. He also mentioned that around 9 million active Chrome users had this AVG Web TuneUp installed on their browsers.

Ormandy further mentions in his message,

“This extension adds numerous JavaScript API’s to chrome, apparently so that they can hijack search settings and the new tab page. The installation process is quite complicated, so that they can bypass the chrome malware checks, which specifically tries to stop abuse of the extension API. Anyway, many of the API’s are broken, the attached exploit steals cookies from avg.com. It also exposes browsing history and other personal data on the internet, I wouldn’t be surprised if it’s possible to turn this into arbitrary code execution.”

On contacting the Amsterdam-based cybersecurity firm, he mentioned about the problems created by AVG Web TuneUp.

“Apologies for my harsh tone, but I’m really not thrilled about this trash being installed for Chrome users. My concern is that your security software is disabling web security for nine million Chrome users, apparently so that you can hijack search settings and the new tab page. I hope the severity of this issue is clear to you, fixing it should be your highest priority.”

It was revealed that AVG did try to resolve the issue related to AVG Web TuneUp. However, the attempt did not work.

What is the current status of AVG Web TuneUp

AVG confirmed the fact in a statement that the flaw related AVG Web TuneUp has been addressed. And now the vulnerability has been fixed. AVG further mentioned that the fixed version has been published and automatically updated for users.

However, an independent security expert said that although the flaw related to AVG Web TuneUp is now fixed, it shows that almost any software installed on a computer can introduce security vulnerabilities, even if that software is intended to improve security. This should certainly be taken as a warning by all, says BBC.

See this post if you want to completely uninstall AVG Web TuneUp from Windows PC.

Those of you who want to stay safe, may want to take a look at some of the recommended free antivirus software for Windows PC.

Posted by with Tags
Ankit Gupta is an Engineering graduate & an MBA post graduate. He brings with himself 3 years plus global writing experience on technology, travel & finance. He follows technological developments, especially on gadgets. Apart from having an interest in following Microsoft, he also has a deep liking for wild life, & travels to various wildlife conservatories, to be with nature.