Tavis Ormandy, a Google Project Zero researcher, discovered a vulnerability, since fixed, in AVG Web TuneUp. The flaw is a Chrome extension that forcibly installs when users install the AVG antivirus software.

The extension contains a serious flaw that exposes users' browsing history, cookies, and personal data to attackers and has nearly 9 million users.

Ormandy wrote: This extension adds numerous JavaScript API's to chrome, apparently so that they can hijack search settings and the new tab page. The installation process is quite complicated so that they can bypass the chrome malware checks, which specifically tries to stop abuse of the extension API.”

Ormandy wrote in a follow-up response: “I believe this issue is resolved now, but inline installations are disabled while the CWS team investigate possible policy violations.”

Avg has responded and wrote: "We thank the Google Security Research Team for making us aware of the vulnerability with the Web TuneUp optional Chrome extension. The vulnerability has been fixed; the fixed version has been published and automatically updated to users.”

Source: SCMagazine