A privacy feature found in antivirus software from Avast and AVG was actually exposing their data, new research has found.
AntiTrack was designed to strip tracking cookies and scripts from websites sousers can browse the internet anonymously without being tracked.
It was included in both Avast and AVG products, with Avast AntiTrack version older than 126.96.36.199 and AVTG AntiTrack version 188.8.131.52 or older all affected.
- Avast reportedly sold user web browsing data
- Avast and AVG extensions allowed back on Firefox store
- Windows 10 updates are being blocked by security tools
The vulnerability, listed as CVE-2020-8987, was found by web researcher David Eade who identified and reported the findings to Avast.
He found that AntiTrack does not verify the authenticity of certificates presented by a website, meaning hackers could easily gain entry via Man in The Middle (MiTM) attacks, allowing them to hijack browser sessions and steal data.
Hackers do not even need local access or any special software to trigger this vulnerability, Eade noted.
The fact that AntiTrack ignores higher security protocols and downgrades the protocols to TLS 1.0 even if the server supports TLS 1.2 is another serious flaw found in the program, making the system vulnerable to more security issues.
It is also reported that AntiTrack does not honor the secured browser encryption suites in favour of weak and old encryption standards.
"A remote attacker running a malicious proxy could capture their victim's HTTPS traffic and record credentials for later re-use," Eade said.
He further added, “If a site needs two-factor authentication (such as a one-time password), then the attacker can still hijack a live session by cloning session cookies after the victim logs in.”
Both vulnerabilities were identified in August 2019, however a security patch was only releasedfor both Avast and AVG AntiTrack this week on March 9. Avast thanked Eade in a blog post, saying that the issues were all now fixed.
- We'll help you pick from the best VPN options