Google researcher suggests vulnerability in Chrome extension AVG fixed

Dec

30

2015

Researcher Tavis Ormandy of the Project Zero security team at Google found a leak in the Chrome extension AVG Web TuneUp. This would have made it possible for attackers via APIs to see all kinds of user information. The leak has been plugged.

AVG fpa Ormandy says in the description that the AVG extension during installation Chrome bypass existing security measures against malware. The program would then be able to adjust search settings and the page that opens the browser can set up in a new tab. Ormandy wrote to AVG that “the extension so broken that he does not know whether he should report it as a vulnerability or it should be examined as potentially unwanted programs. This while the extension is designed to make it safer and browsing would be present in the browsers of approximately nine million users.

An attacker could intercept using the programming interfaces of the extension via cross site scripting email or perform a man-in-the-middle attack referenced. Also, the researcher does not rule out that remote arbitrary code could have been exported. The dialogue between Ormandy and AVG shows that the company initially tried the leak sealer patches that offer virtually no solution. Only after some back-and-forth comes AVG with a solution according to the researcher is workable. Ormandy late Tuesday that still an investigation is under way into whether AVG with the extension breaks the rules. The update would be available in version 4.2.5.169 of the extension.

Viewing:-148

In: Technology & Gadgets Asked By: [15176 Red Star Level]

Answer this Question

You must be Logged In to post an Answer.

Not a member yet? Sign Up Now »