Oh, the irony. Anti-malware provider AVG has been caught hijacking search results by enabling its free Web TuneUp Chrome extension to circumvent the browser’s malware checks. The purpose of the maneuver was apparently to reroute search queries to its own service. According to Google researcher Tavis Ormandy, 9 million users were potentially affected before he forced AVG to fix the issue over several days of back and forth.
According to AVG’s Chrome extension listing, Web TuneUp’s mission is to warn users of “unsafe search results.” It accomplishes this by checking each search query against its database of suspicious sites, then routing the user to its own service called “AVG Secure Search.” According to its website, the default search provider can only be changed inside the extensions for Firefox and Internet Explorer.
Ormandy discovered that Web TuneUp “force-installed” by being designed to get around Chrome’s own security layer for catching malicious plugins. Here’s how he described it:
When a user installs AVG AntiVirus, a Chrome extension called "AVG Web TuneUp" with extension id chfdnecihphmhljaaejmgoiahnihplgn is force-installed. I can see from the webstore statistics it has nearly 9 million active Chrome users.
This extension adds numerous JavaScript API's to chrome, apparently so that they can hijack search settings and the new tab page. The installation process is quite complicated so that they can bypass the chrome malware checks, which specifically tries to stop abuse of the extension API.
Anyway, many of the API's are broken, the attached exploit steals cookies from avg.com. It also exposes browsing history and other personal data to the internet, I wouldn't be surprised if it's possible to turn this into arbitrary code execution.
In addition to the problems Ormandy described above, he claimed that the first solution offered by AVG still left users vulnerable to so-called "man in the middle attacks." The researcher said, "...a network man in the middle can redirect a user to attack.avg.com, and supply javascript that opens a tab to a secure https origin, and then inject code into it. This means that a man in the middle can attack secure https sites like GMail, Banking, and so on. "
AVG's extension is ostensibly designed to provide a search safety tool, but it also captures revenue from routing search queries to its own pages. The company has a history of augmenting its core business of selling anti-malware solutions; a few months ago, AVG updated its privacy policy to allow the company to sell a user's browsing and search query history to third parties.
Source: Google Security Research via Ars Technica
25 Comments - Add comment