AVG Exposes 9 Million Users’ Data with Chrome Plugin

AVG Exposes 9 Million Users’ Data with Chrome Plugin

In today’s ever-growing cyber world, consumers look to cyber security giants for 24-hour support and protection, but we are constantly reminded of the many vulnerabilities that exist even among large anti-virus software corporations. AVG’s recently added “Web TuneUp” add-on for the Google Chrome browser promised to protect users when surfing unsafe websites. However, it ended up exposing the browsing history and other personal data of 9 million users to hackers who knew how to collect the information(CNET.)

This free plugin installed by AVG adds numerous JavaScript API’s to Chrome in order to bypass the Chrome browser’s security malware checks, designed specifically to deter the action from the extension API. Many of these API’s added were broken and thus allowed easy exploitation by a hacker through cross-site scripting, as denoted in a post made by Google Security researcher Tavis Ormandy on December 15 (Ars Technica.) In version of the AVG Web TuneUp Chrome extension. Google’s Chrome Web Store team is investigating possible policy violations, according to researcher Tavis Ormandy, and it is worthwhile noting that per data exfiltration firm enSilo, “security products such as Kapersky’s Anti-Virus 2015 MR2 and Internet Security’s McAfee VirusScan Enterprise version 8.8 were also affected by the flaw.” (Security Week)

Google Project Zero researcher Tavis Ormandy (also of fame for blindsiding Trend Micro and Kaspersky by releasing vulnerabilities in their software without prior notification), who initially discovered the vulnerability wrote in a follow-up statement that the issue has been resolved now (SC Magazine.)

Our Analysis

These type of vulnerabilities are unfortunately quite common, but there is much that can be done to prevent something like this from happening again. For starters, adding API’s that bypass Google Chrome’s security functions is a big mistake. If behavior like this is faithfully avoided in the future, and AVG and other security companies make sure to follow security protocol without taking shortcuts, the risk of having a data breach will decrease nicely. It is of utmost importance that these companies start following stricter guidelines, or vulnerabilities such as this won’t be easily avoided in the future.

It is a relief that the issue causing this breach is fixed now, but nothing can excuse the fact that millions of users had their personal data exposed. In this case, it is safe to use the add-on now, but it’s imperative that we reconsider all of the companies that we trust with out personal data.

When selecting whom we give our information to, it is important to do research on who has a better track record of maintaining strict security standards, rigorous maintenance and constant updating of software.

Other High Profile Breaches:

Experian (includes T-Mobile)
Trump Hotels
Tesla and Chrysler (unrelated to each other)
Apple App Store
U.S. Office of Personnel Management (OPM)
Kaspersky & FireEye (unrelated to each other)
Excellus Blue Cross Blue Shield
Ashley Madison
Ashley Madison (follow up)

Thanks for stopping by and reading our blog. We would appreciate if you could subscribe (assuming you like what you read; we think you will). This is meant to be informative and to provide value to anyone who reads this – regardless of their knowledge and/or understanding of IT/Cybersecurity. To learn more about us, check out our “About Us” page.

Be sure to subscribe to this blog and to our Podcast.

If you have ANY Cybersecurity needs, please contact us and a member of our staff with promptly reply to your question or concern.


Ars Technica
Security Week
SC Magazine
Slash Gear

Enter your email address:

Delivered by FeedBurner

Subscribe to our mailing list

* indicates required