• by Laurie Sullivan  @lauriesullivan, December 30, 2015

Google banned the AVG free anti-malware tool Web TuneUp from automatically installing in Chrome browsers after discovering it could put up to nine million users at risk of exposing personal data after altering the settings.

AVG's Web TuneUp tool is a free download from the Chrome Store to provide protection against malicious Web sites. The plugin works by sending the Web addresses of sites visited by the user to AVG's servers to check them against a database of known malicious sites. Unfortunately, the plugin was constructed in a way that information could be easily exploited by an attacker.

Tavis Ormandy, a Google Project Zero researcher, said the extension leaked online browsing history and data for millions of Chrome users, making it vulnerable to hijack Gmail accounts, search settings and the new tab page or steal passwords.

“Apologies for my harsh tone, but I'm really not thrilled about this trash being installed for Chrome users,” Ormandy wrote in a forum. “The extension is so badly broken that I'm not sure whether I should be reporting it to you as a vulnerability, or asking the extension abuse team to investigate if it's a PuP.”

The hole was found earlier this month. AVG’s initial patch did not solve the issue, but as of December 28, AVG had completed a more secure patch.

“The vulnerability has been fixed,” per AVG. “The fixed version has been published and automatically updated to users.”