Google's security team uncovered a major flaw in AVG's Web TuneUp software that had threatened almost nine million users' personal data. The software is AVG's free anti-malware tool that is marketed as helping users defend against "hidden threats".
Tavis Ormandy, a researcher at Google's Project Zero, is believed to be the first to identify the issue. On 15 December he flagged the problem to the rest of his team, claiming that the extension provided by the cybersecurity firm leaked browsing history and online data and could prove to be a threat if someone with the know-how managed to gain access. Ormandy said malicious parties could, for example, hack into a user's Gmail account to gain sensitive information such as passwords and browser history.
Ormandy pointed out that the software was automatically "force installing" a flawed plug-in into Chrome. This meant that users had no control over how the plug-in altered the settings of the browser. Users also could not choose to uninstall the plug-in as the software would install it as an add-on extension. Consequently, personal data was left vulnerable to exposure, especially to knowledgeable hackers.
Google's researcher reportedly contacted AVG regarding this issue, apologising for his "harsh tone", but going on to assert that this matter required immediate attention from the anti-malware software developers. He is believed to have said: "My concern is that your security software is disabling web security for nine million Chrome users, apparently so that you can hijack search settings and the new tab page. I hope the severity of this issue is clear to you, fixing it should be your highest priority."
AVG has apparently developed a new version of the plug-in that has ironed out the issue of the security breach, Ormandy declared on 29 December. The cyber-security company made a statement confirming the matter. "We thank the Google Security Research Team for making us aware of the vulnerability with the Web TuneUp optional Chrome extension," it said. "The vulnerability has been fixed; the fixed version has been published and automatically updated to users."
Google is, however, playing it safe at the moment, prohibiting Web TuneUp from automatically installing the revised plug-in onto users' browsers. This is not the first debacle that AVG has had with Google's security team. In March, Google's research team uncovered a flaw in the anti-malware software that led to Windows security settings possibly being disabled due to an erroneous code.