9 Million At Risk from Browser Security Tool

John Lister's picture

A popular antivirus browser extension has been labeled as a security risk by Google. The tool in question is called Web TuneUp and is a browser extension by AVG; in this case, the problem involves Web TuneUp and the Chrome Browser, but the threat itself likely includes other browsers as well.

Web TuneUp works by validating links that appear on a web browser page, such as on a search engine results list. It then warns the user if a link points to a page that could compromise security. It's arguably overkill, given that Chrome includes similar tools - plus the fact that Google itself filters results to try to weed out security threats. Nonetheless, an estimated nine million people have Web TuneUp installed.

Extension Installed Without Permission

Recently Google security researcher looked into AVG's Web TuneUp and was shocked by what he found. It turned out the extension was automatically installed to Chrome whenever a user installed the main AVG antivirus software. (Source: bbc.co.uk)

Normally users have to manually choose to add an extension from Google's Chrome Store, and Google automatically vets the extensions for security threats. AVG deliberately set the extension up to bypass this vetting, apparently to give it the option of changing the user's search settings and the page that appears when they open a new tab.

Browsing Habits, Personal Data Exposed

To make things worse, the extension did not encrypt data being sent from the user to AVG's computers. That means that data could have been easily intercepted by hackers. At best, the data might be a list of all the sites the user visited; at worst it could include sensitive personal data. It could have also let hackers send malicious code to the user's computer, disguised as legitimate content from AVG.

The Google engineer contacted AVG with a demand that it fix the problem. AVG initially responded by tweaking the extension so that it would only send data to websites containing 'avg.com' in the address. However, as the Google Engineer pointed out, this would not work because hackers could simply create a site which included 'avg.com' as part of the full web address.

AVG has now issued a patch for the problems. In spite of this, Google has put a freeze on anyone downloading the extension until it completes an investigation into whether AVG broke its guidelines. That investigation could mean the extension is permanently banned from Chrome. (Source: arstechnica.com)

What's Your Opinion?

Do you have Web TuneUp installed and if so, did you know it was on your computer? Does this undermine the credibility of security companies such as AVG? Should Google allow any third-party security tools as Chrome extensions or should it insist security firms stick to standalone applications?

Rate this article: 
Average: 4.8 (10 votes)

Comments

Dennis Faas's picture

If AVG circumvented Google's Policies they should be banned permanently. Free antivirus is good if you know how to use it (and ignore the extras) - however, antivirus companies are making a ton of cash by having people upgrade from free to their "Pro" version, even if it's total overkill and ends up making the computer run at a snail pace. Users usually upgrade to Pro at the time of renewal of the free subscription. That said, as long as their program is in front of your face constantly (including a browser extension), then users are more likely to proceed with the upgrade. I'm sure AVG knows this and that's why they circumvented in the first place - plus they are probably selling data it collects when users perform searches.

howard_5051's picture

Until I installed Windows 10, I used Kaspersky Internet Security on our desktop, laptop & netbook PCs. For some reason, on the 2009 Dell Studio laptop, Google Chrome & Firefox will not work with Kaspersky installed - although these browsers do work with Kaspersky on the newer desktop & netbook.

I therefore swapped out Kaspersky on thelaptop and replaced it with a paid-for version of AVG (which works fine) thinking (probably now wrongly) that AVG had a good reputation and operated as an 'ethical' company. It seems I was mistaken!

I have now 'purged' my browser's extensions, removing WebTuneup - it was installed on Chrome, Firefox & Opera. Fortunately on Chrome - our most commonly-used browser - it was disabled.

Many thanks for the alert Dennis.

phy3512167_6122's picture

I recently encountered a problem with Windows 7 Professional. The taskbar locked up and would not allow me to select any program by clicking on its icon. I googled the problem and found many suggested solutions, none of which worked. After many failed tries to elucidate the problem, I finally decided that the program having the most widespread presence on my computer (a Lenovo T420s laptop) was AVG anti-virus. I tried to uninstall the program, but it was obviously installed with the intent to hide and make the uninstallation extremely difficult. I finally got rid of it and installed another free anti-virus program. The problem was solved. I might have assumed the add-on feature in AVG was simply a mistake or interfered with my particular Win 7 setup. However, the difficulty in unstalling it made it clear that something more was in play.

Doccus's picture

I used the free version of AVG for several years but found it bogged down my OS, especially the taskbar, just as this person mentioned. And inevitably the day came, about 10 years ago when we had a significant malware problem on my dad's computer. Unfortunately nothing I could do (and I was an active tech at the time too) using AVG would remove more than a small percentage of them. IIRC it *did* give me the all clear. Repeatedly, in fact but that was incorrect, as the malware just kept reappearing. Also I seem to recall AVG changed their behavior in regards to how they handled distribution of the "free" version. Certainly it's not the AV I remember from 10 -15 years ago.
Nevertheless, although I think the browser extension boondoggle is probably the result of some overzealous marketing dept., if it was intended to increase profits it may instead have helped sink the company.
The timing for my AVG troubles was fortuitous however.. as Apple had just recently switched to intel and on a whim I installed a macintel hack on my dad's PC. Turned out he really liked it so eventually he bought a real mac.
He still calls for advice one in a rare while but mostly because he pushed the wrong button and something's temporarily disappeared.
But no more 6 hour PC/Windows malware "seek and destroy" missions.. or windows update freezes, or crashes, or BSODs etc.. !
Thank you! AVG for pushing me out the door...

gbruce40_3626's picture

Hi Dennis,

I installed Windows 10 on my desktop and I like it, so I thought I would install it on my laptop running Win 7, which Microsoft claims "This PC works with Windows 10". Under that it says "you'll need to uninstall these apps during the upgrade"

"AVG Identity Theft Protection"
"AVG Technologies CZ, s.r.o."

So I went ahead and tried to install Widows 10. Thinking that the installer would prompt me to remove AVG during the upgrade. However, numerous times it failed totally due to AVG being present.

I do not remember ever using AVG, I certainly never subscribed to it. I searched my laptop for any files etc with AVG like names and I manually went through the registration and found some references to AVG. I removed them all, rebooted and tried the install again. No luck, Same problem. I went to AVG's website and found that someone else had reported the same problem and had complained. AVG listed a download that they claimed would remove all traces of AVG from Windows 7. I tried but It did not work.

I have Chrome installed but never use it as I prefer Firefox. How do I check for AVG's Web TuneUp in Chrome, or is there another answer to this problem that you may know?