AVG Forces Chrome Extension On Users, Extension Is Woefully Insecure (google.com)

← Back to Stories (view on slashdot.org)

AVG Forces Chrome Extension On Users, Extension Is Woefully Insecure (google.com)

Posted by samzenpus on Tuesday December 29, 2015 @10:12AM from the protect-ya-neck dept.

An anonymous reader writes: The AVG Web TuneUp Chrome extension, forcibly added to Google Chrome browsers when users were installing the AVG antivirus, had a serious flaw that allowed attackers to get the user's browsing history, cookies, and more. "This extension adds numerous JavaScript APIs to Chrome, apparently so that they can hijack search settings and the new tab page," explains Mr. Ormandy. "The installation process is quite complicated so that they [AVG] can bypass the Chrome [Store] malware checks, which specifically tries to stop abuse of the [Chrome] Extension API." Simple XSS and MitM attacks expose data from other tabs opened in the browser, browsing history, and even manage to render SSL useless.

5 of 170 comments (clear)

Min score:

Reason:

Sort:

AVG used to be good and then about 4 years ago by Joe_Dragon · 2015-12-29 10:18 · Score: 4, Informative

AVG used to be good and then about 4 years ago it got a lot of bloat
1. Re:AVG used to be good and then about 4 years ago by avandesande · 2015-12-29 10:30 · Score: 4, Informative
  
  I quit using it years ago, I found using Microsoft Security Essentials and running Malwarebytes once a month was satisfactory.
  
  --
  love is just extroverted narcissism
2. Re:AVG used to be good and then about 4 years ago by LinuxIsGarbage · 2015-12-29 11:32 · Score: 3, Informative
  
  AVG and Avast have a combination of bloat, or nags that try to scare you into upgrading to a pay version. MSE, whether or not it's the top in the charts on detection, is a very good option for "set and forget" when dealing with distant relatives.
3. Re:AVG used to be good and then about 4 years ago by wbr1 · 2015-12-29 12:07 · Score: 3, Informative
  
  MSSE was great, but the catch rate has really fallen off in the past 2 years. For a free AV bitdefender or avira are where it is at. Avira tends to be spammy, while bitdefender is quiet, so there in is my current top of the heap.
  Add in a free MalWareBytes scan every 2 weeks, a good adblocker, and non-ISP DNS and you can't get much better.
  If you think you are infected, MalwareBytes anti-root kit, hitman pro, and malwarebytes, and adwcleaner are a good combot to get most stuff out.
  Source, I manage a shop that does lots of residential repairs (ie 80% viruses).
  
  --
  Silence is a state of mime.
Re:Security theater by Anonymous Coward · 2015-12-29 10:25 · Score: 2, Informative

" in fact you can't even buy one for linux"
That's completely BS, but you're right about one thing... "install ... whatever OS you want", even Windows and OS X.
Pretty much the rest of your post is wrong too.