Netherlands based AVG Antivirus's ' Web TuneUp' chrome extension may have exposed personal data of more than 9 million AVG users.
An exploit discovered by a security researcher at Google Project Zero said that the AVG's free anti-malware Google Chrome extension 'Web TuneUp' has leaked browsing history and data online. This bug if exploited by a knowledgeable attacker could snoop on what website a person has visited or logged into which could be used to steal passwords and hijack logged in accounts easily.
Apologies for my harsh tone, but I'm really not thrilled about this trash being installed for Chrome users. The extension is so badly broken that I'm not sure whether I should be reporting it to you as a vulnerability, or asking the extension abuse team to investigate if it's a PuP.
As a result, Web TuneUp was automatically banned from installing when a user installs the company's anti-virus software. AVG had released a patched before which was supposed to fix this vulnerability but according to the researcher it did not solve the issue.
"The vulnerability has been fixed; the fixed version has been published and automatically updated to users," said AVG in a statement, thanking Google Security team for making them aware of the vulnerability.
This has forced AVG to stop their software to automatically install the extension for new users. This is a step taken by AVG till their team investigates on this matter not just for security concerns but even as a legal standpoint.
The Web TuneUp for Chrome has also been patched and modified to only have limited features till AVG's security team investigates and handles the security concern.
