Oh, the irony. Anti-malware provider AVG has been caught hijacking search results by enabling its free Web TuneUp Chrome extension to circumvent the browser’s malware checks. The purpose of this maneuver was apparently to reroute search queries to its own service. According to Google researcher Tavis Ormandy, 9 million users were potentially affected before he forced AVG to fix the issue over several days of back and forth.
According to AVG’s Chrome extension listing, Web TuneUp’s mission is to warn users of “unsafe search results.” It accomplishes this by checking each search query against its database of suspicious sites, then routing the user to its own service called “AVG Secure Search.” According to its website, the default search provider can only be changed inside the extensions for Firefox and Internet Explorer.
Ormandy discovered that Web TuneUp “force-installed” by being designed to get around Chrome’s own security layer for catching malicious plugins. Here’s how he described it:
When a user installs AVG AntiVirus, a Chrome extension called “AVG Web TuneUp” with extension id chfdnecihphmhljaaejmgoiahnihplgn is force-installed. I can see from the webstore statistics it has nearly 9 million active Chrome users.
Anyway, many of the API’s are broken, the attached exploit steals cookies from avg.com. It also exposes browsing history and other personal data to the internet, I wouldn’t be surprised if it’s possible to turn this into arbitrary code execution.