The AVG Web TuneUp Chrome extension, forcibly added to Google Chrome browsers when users were installing the AVG antivirus, had a serious flaw that allowed attackers to get the user's browsing history, cookies, and more.
The vulnerability was discovered by Google Project Zero researcher Tavis Ormandy, who worked with AVG for the past two weeks to fix the issue.
A half-baked Chrome extension
Theoretically, this would give attackers access to data stored on other websites, such as Gmail, Yahoo, banking websites, and more of the bunch. All that attackers had to do was to convince a user to access a malicious URL.
The extension rendered HTTPS connections useless
Websites hosted on HTTPS were also susceptible, Mr. Ormandy stating that users of this extension "have SSL disabled." Version 18.104.22.168 of AVG Web TuneUp fixed this issue. In the meantime, Google blocked AVG's ability to carry out inline installations of this extension. This means that users who want to install the extension have to go to the Chrome Web Store and trigger the download with a click. Additionally, the Chrome Web Store team is also investigating AVG for possible Web Store policy violations.