Sergey Nivens - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

How did AVG Web TuneUp expose user data?

The AVG Web TuneUp browser extension, advertised as a way to control user privacy, exposed Chrome users' personal data. Expert Michael Cobb explains how this happened.

Apparently security vendor AVG accidentally exposed Chrome users' browsing data and other personal info through a "force-installed" browser extension. Google has criticized AVG and the browser extension, which was able to bypass Chrome's security checks on extensions. How did this exposure occur, and why didn't Chrome catch the extension before it created a problem?

AVG Technologies is a Czech computer security software company that produces AVG AntiVirus, a family of antivirus and Internet security software. Last year AVG released a free browser extension called AVG Web TuneUp, advertised as allowing users to "search securely, surf safer, control privacy and leave no tracks." It provides reputation-based protection against malicious websites and works, like most reputation-based services, by sending the URLs of sites about to be visited by the user to AVG's servers to check them against a database of known malicious sites.

Anyone using Google's Chrome browser can find and install the AVG Web TuneUp extension from the Chrome Web Store, or directly from AVG's website. The latter option is possible because Google allows developers to initiate app and extension installations "inline" from their site. Although the apps and extensions are hosted in the Chrome Web Store, users don't have to leave the vendor's site to install them. When users begin an inline app installation, they see the same installation confirmation dialog as when installing directly from the Chrome Web Store; it lists all of the permissions that the app or extension is requesting, along with the average Chrome Web Store rating and the current number of users.

Despite the list of permissions that the AVG Web TuneUp extension requests -- to read and change your browsing history, change your homepage, change your search settings and change your start page -- around 9 million users have installed it. Judging by users' comments, many are now unhappy at giving up control of their browser's search settings to the extension, and some claim that it's no better than a potentially unwanted program or virus that hijacks a user's browser configuration.

Of greater concern, and the reason behind Google's criticism of AVG, is the way the extension uses numerous JavaScript APIs to control search settings and check the URLs a user is about to visit. AVG's implementation could be easily exploited by an attacker through cross-site scripting, potentially exposing the browsing history and other personal data of users who have installed the extension. Google Security researcher Tavis Ormandy posted a proof-of-concept exploit that stole the authentication cookies from AVG's website to show how the APIs were being misused, along with a request that AVG issue a fix as a top priority. Sadly, the first fix was a poorly crafted whitelist check that did nothing to stop attackers from using a man-in-the-middle attack to pass malicious JavaScript to a victim. Ormandy commented, "Any XSS on can be used to compromise Chrome users," and in fact found examples for such attacks on AVG's sites.

To prevent developers from abusing the Chrome extension API, applications and extensions have to pass through various security checks but Google said the AVG Web TuneUp installation process was complicated to the point that the unwanted behavior didn't get picked up. Also, once installed, it's hard for any browser to protect itself against processes at the same privilege level. The main takeaways for enterprise administrators from this episode are:

  • The majority of users will click through and install software if they trust the vendor or deem the software to be useful, no matter what warnings are put in front of them.
  • The rush to market and the drive to capture customer data is putting customers at risk due a lack of focus on security, often with none being built into products.
  • Automated checks cannot find the determined attacker or determine user intent.
  • Enterprises need to closely control the software that users can download onto devices that will be accessing enterprise networks, no matter which company developed it.

Users of the AVG Web TuneUp extension should have automatically received an updated version by now, while Google's Chrome Web Store team is investigating possible policy violations by AVG.

Ask the Expert:
Want to ask Michael Cobb a question about application security? Submit your questions now via email. (All questions are anonymous.)

Next Steps

Read about how a third-party extension for Chrome bypassed Google's security controls

Learn about browser and device fingerprinting threats

Find out if a tracking protection feature on Firefox can improve private browsing

This was last published in May 2016

Dig Deeper on Web browser security