One of the most popular browser-based solutions for Internet security might be more dangerous than not having any security at all. According to a bug report filed by a Google employee on December 15th, the AVG Web TuneUp extension is disabling web security on Chrome for over 9 million users.
But that’s nothing compared to the complaint from Google:
“Apologies for my harsh tone, but I’m really not thrilled about this trash being installed for Chrome users. The extension is so badly broken that I’m not sure whether I should be reporting it to you as a vulnerability, or asking the extension abuse team to investigate if it’s a PuP.
Nevertheless, my concern is that your security software is disabling web security for 9 million Chrome users, apparently so that you can hijack search settings and the new tab page.
There are multiple obvious attacks possible, for example, here is a trivial universal xss in the “navigate” API that can allow any website to execute script in the context of any other domain. For example, attacker.com can read email from mail.google.com, or corp.avg.com, or whatever else.”
AVG released a fix shortly after this report was filed, but Google denied it. It didn’t fix the issue. AVG issued a second update on December 21st, and that one was accepted by Google, but the team has disabled inline installations just in case.
If you have the AVG Web TuneUp extension, you might want to consider another security solution.