Google has banned AVG from automatically installing its Web TuneUp Chrome extension – after the widget wrecked the online security of nine million people.
Tavis Ormandy – a Google Project Zero researcher who has been auditing antivirus software – found the extension was riddled with vulnerabilities. Web TuneUp is installed with AVG's antivirus package, and attempts to stop Chrome users from surfing to websites hosting malware. It is used by 9,050,432 people.
According to Ormandy, the extension leaked "browsing history and other personal data to the internet." Malicious websites could exploit the toolbar's programming blunders to access other websites a user was logged into. In other words, a script running on a webpage in a tab could invisibly access, say, mail.google.com as the user, and hijack the victim's webmail inbox.
Google probes AVG Chrome widget after 9m users exposed by bugs • The Register