Apparently security vendor AVG accidentally exposed Chrome users' browsing data and other personal info through...
a "force-installed" browser extension. Google has criticized AVG and the browser extension, which was able to bypass Chrome's security checks on extensions. How did this exposure occur, and why didn't Chrome catch the extension before it created a problem?
AVG Technologies is a Czech computer security software company that produces AVG AntiVirus, a family of antivirus and Internet security software. Last year AVG released a free browser extension called AVG Web TuneUp, advertised as allowing users to "search securely, surf safer, control privacy and leave no tracks." It provides reputation-based protection against malicious websites and works, like most reputation-based services, by sending the URLs of sites about to be visited by the user to AVG's servers to check them against a database of known malicious sites.
Anyone using Google's Chrome browser can find and install the AVG Web TuneUp extension from the Chrome Web Store, or directly from AVG's website. The latter option is possible because Google allows developers to initiate app and extension installations "inline" from their site. Although the apps and extensions are hosted in the Chrome Web Store, users don't have to leave the vendor's site to install them. When users begin an inline app installation, they see the same installation confirmation dialog as when installing directly from the Chrome Web Store; it lists all of the permissions that the app or extension is requesting, along with the average Chrome Web Store rating and the current number of users.
Despite the list of permissions that the AVG Web TuneUp extension requests -- to read and change your browsing history, change your homepage, change your search settings and change your start page -- around 9 million users have installed it. Judging by users' comments, many are now unhappy at giving up control of their browser's search settings to the extension, and some claim that it's no better than a potentially unwanted program or virus that hijacks a user's browser configuration.
To prevent developers from abusing the Chrome extension API, applications and extensions have to pass through various security checks but Google said the AVG Web TuneUp installation process was complicated to the point that the unwanted behavior didn't get picked up. Also, once installed, it's hard for any browser to protect itself against processes at the same privilege level. The main takeaways for enterprise administrators from this episode are:
- The majority of users will click through and install software if they trust the vendor or deem the software to be useful, no matter what warnings are put in front of them.
- The rush to market and the drive to capture customer data is putting customers at risk due a lack of focus on security, often with none being built into products.
- Automated checks cannot find the determined attacker or determine user intent.
- Enterprises need to closely control the software that users can download onto devices that will be accessing enterprise networks, no matter which company developed it.
Users of the AVG Web TuneUp extension should have automatically received an updated version by now, while Google's Chrome Web Store team is investigating possible policy violations by AVG.
Ask the Expert:
Want to ask Michael Cobb a question about application security? Submit your questions now via email. (All questions are anonymous.)
Read about how a third-party extension for Chrome bypassed Google's security controls
Learn about browser and device fingerprinting threats
Find out if a tracking protection feature on Firefox can improve private browsing
Dig Deeper on Web browser security
Related Q&A from Michael Cobb
Expert Michael Cobb details how to argue for a multistep secure code review process, like Microsoft SDL, and the pros of secure coding practices. Continue Reading
Researchers developed a tool to help prevent improper certificate pinning that causes security issues. Expert Michael Cobb reviews the issue and the ... Continue Reading
Google Project Zero discovered a WPAD attack that could target systems running Windows 10. Expert Michael Cobb explains how the attack works and how ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.