The extension, which has over 9 million active users, contains a serious flaw that exposes users'
- Browsing history
- Cookies,
- and Personal data
....to attackers.
“This extension adds numerous JavaScript API's to chrome, apparently so that they can hijack search settings and the new tab page,” wrote Ormandy in the bug report. “The installation process is quite complicated so that they can bypass the chrome malware checks, which specifically tries to stop abuse of the extension API.”
Among the vulnerabilities that AVG Web TuneUp brings along, the researcher mentions a “trivial universal” XSS (Cross-Site Scripting) in the "navigate" API, which could allow websites to execute scripts in the context of any other domains. According to Ormandy, a website could read emails from mail.google.com and perform other actions as well because of this high-severity flaw.
Ormandy was involved in the discovery of vulnerabilities in Kaspersky's anti-virus product in September and a critical vulnerability in FireEye network security devices earlier this month.
Ormandy wrote in a follow-up response to the bug report Monday, “I believe this issue is resolved now, but inline installations are disabled while the CWS team investigate possible policy violations.”
