You'd think HTTPS certificate checking would be a cinch for a computer security toolkit – but no so for Avast's AntiTrack privacy tool.
Web researcher David Eade found and reported CVE-2020-8987 to Avast: this is a trio of blunders that, when combined, can be exploited by a snooper to silently intercept and tamper with an AntiTrack user's connections to even the most heavily secured websites.
This is because when using AntiTrack, your web connections are routed through the proxy software so that it can strip out tracking cookies and similar stuff, enhancing your privacy. However, when AntiTack connects to websites on your behalf, it does not verify it's actually talking to the legit sites. Thus, a miscreant-in-the-middle, between AntiTrack and the website you wish to visit, can redirect your webpage requests to a malicious server that masquerades as the real deal, and harvest your logins or otherwise snoop on you, and you'd never know.
The flaws affect both the Avast and AVG versions of AntiTrack, and punters are advised to update their software as a fix for both tools has been released.
Eade has been tracking the bug since August last year.
"The consequences are hard to overstate. A remote attacker running a malicious proxy could capture their victim's HTTPS traffic and record credentials for later re-use," he said. "If a site needs two factor authentication (such as a one-time password), then the attacker can still hijack a live session by cloning session cookies after the victim logs in."
Avast lobs intruders into the 'Abiss': Miscreants tried to tamper with CCleaner after sneaking into network via VPNREAD MORE
Eade said the three security holes were all related to how the Avast and AVG tools handle secured connections.
The first issue is due to AntiTrack not properly verifying HTTPS certificates, allowing an attacker to self-sign certs for fake sites. The second issue is due to AntiTrack forcibly downgrading browsers to TLS 1.0, and the third is due to the anti-tracking tool not honoring forward secrecy.
Avast has acknowledged the bug both in its own-branded AntiTrack and in the AVG version.
"Thanks to David reporting these issues to us, the issues have been fixed, through an update pushed to all AntiTrack users," Avast said.
"Despite being highly privileged and processing untrusted input by design, it is un-sandboxed and has poor mitigation coverage," Ormandy said of the process. "Any vulnerabilities in this process are critical, and easily accessible to remote attackers." ®