AVG’s extension is flawed, Chrome users are at risk

On AVG.com, there’s a free download available. It’s called Web TuneUp and it’s meant to guarantee a secure and safe browsing activity for every user. Including Chrome aficionados. But is it really?

The website powerfully recites: be safe. Be in control. Free yourself of hidden threats and hackers. Yes, please – we would merrily chant.

Yet, the very software specifically designed to protect users from safety breaches causes the alteration of Chrome’s settings and puts many at risk by exposing users’ browsing history and other personal data. The code could potentially give access – to those who know what to do and where to look – to people’s emails and other online activities. No, thanks – we would firmly exclaim at this point.

Google’s Tavis Ormandy, an English computer security white hat hacker – currently employed by Google as part of their Project Zero team – promptly warned of the issue. He contacted AVG’s Amsterdam-based HQ and apologized for his harsh tone right before going head-on against the cyber security firm:

“I’m really not thrilled about this trash being installed for Chrome users. My concern is that your security software is disabling web security for nine million Chrome users, apparently so that you can hijack search settings and the new tab page”.

In fact, Google blocked the ability of the flawed software to carry out inline installations but AVG seemed to have thought this through and allowed the extension to bypass the vetting so that it could change the user’s search settings and the page displayed when a user opened a new tab. This led Ormandy to wonder whether he should have acted differently by directly addressing the extension abuse team to investigate if it was a PuP.

Ormandy was adamant in his requests. “I hope the severity of this issue is clear to you, fixing it should be your highest priority”. On the other side, AVG lazily replied with a fix some several days later. A fix that did not completely solve the issue.

And this is not even the first time AVG is under the spotlight with cases of bad publicity to deal with. Users’ complaints targeted various AVG’s supplementary software of the like of Web Tune Up in recent years, pointing out that data stored on other websites, such as Gmail, Yahoo, and banking websites, were exposed to online villains of any sort.


AVG’s reputation spreadsheet is not immaculate, it seems. But – it has to be said – the cyber security firm has finally completed a more secure patch and the block on AVG’s usage of inline installation – that Google had to place – has now no effect on the extension update process, so users with the AVG extension installed should have automatically received the updated version, as with any routine update.

Security levels are finally back to normal. Hair extensions and loan extensions were still safe, for those who were wondering. AVG was not involved in those.

Related Posts