Google has banned AVG from automatically installing its Web TuneUp Chrome extension – after the widget wrecked the online security of nine million people.
Tavis Ormandy, a Google Project Zero researcher who has been auditing antivirus software, found the extension was riddled with vulnerabilities. Web TuneUp is installed with AVG's antivirus package, and it attempts to stop Chrome users from surfing to websites hosting malware. It is used by 9,050,432 people.
According to Ormandy, the extension leaked "browsing history and other personal data to the internet." Malicious websites could exploit the toolbar's programming blunders to access other websites a user was logged into. In other words, a script running on a webpage in a tab could invisibly access, say, mail.google.com as the user, and hijack the victim's webmail inbox.
"Apologies for my harsh tone, but I'm really not thrilled about this trash being installed for Chrome users," Ormandy told AVG's engineers in his security bug report.
"The extension is so badly broken that I'm not sure whether I should be reporting it to you as a vulnerability, or asking the extension abuse team to investigate if it's a PuP [potentially unwanted program aka malware]."
AVG nuked the reported vulnerabilities in version 18.104.22.168 of Web TuneUp, which was released last week. However, it is understood AVG is no longer allowed to install the extension automatically – it must be fetched manually from the Chrome Web Store if users really want it – and that the store team is investigating the widget for potential Google policy violations.
"We thank the Google Security Research Team for making us aware of the vulnerability with the Web TuneUp optional Chrome extension. The vulnerability has been fixed; the fixed version has been published and automatically updated to users," an AVG spokesperson told The Register. ®