back to article Avast's AntiTrack promised to protect your privacy. Instead, it opened you to miscreant-in-the-middle snooping

You'd think HTTPS certificate checking would be a cinch for a computer security toolkit – but no so for Avast's AntiTrack privacy tool. Web researcher David Eade found and reported CVE-2020-8987 to Avast: this is a trio of blunders that, when combined, can be exploited by a snooper to silently intercept and tamper with an …

  1. IGotOut Silver badge

    Avast

    No better than the spyware it is supposed to stop.

    So much so, Mozilla kicked them out before Christmas.

    https://www.theregister.co.uk/2019/12/04/avast_avg_mozilla_takedown/

    1. Def Silver badge

      Re: Avast

      I kicked them off my systems years ago. Shortly after they became bloaty and naggy.

    2. Chris G Silver badge

      Re: Avast

      They are just a sales outfit nowadays, trading on the fact that they used to be a top player.

      Download any Avast/AVG software and you will have nagware al day long, trying to sell you more of their crap.

      Salesmen and beancounters can't write security software.

      1. Truth4u

        Maybe they were a top player 15 years ago but Microsoft Security Essentials has been around for 11 years now, and all the sensible analysts saw the writing on the wall and switched around 10 years ago.

        Now Microsoft call it something else, but the point is that their AV was designed from the ground up not to subvert the Windows API while AVG was designed from the ground up to subvert the Windows API. 15 years ago, that was the only option, but it was never a good option.

        If you don't reevaluate your security measures periodically, you can't know that they are still any good.

        1. JCitizen
          Windows

          @truth4u

          It is a sad fact they took the bloated universial fits all cr@pware road, so many formerly good AV utilities did - but I finally trashed it over a year ago when it failed to detect a major drive by attack I got from a infected malvertisement. Sad thing is Essentials or Windows Defender is all we got if we are poor now. But I guess it depends on how you look at it. Almost none of today's competent malware is detectable anyway, so you will have to pay through the nose and get an anti-malware that uses differant tactics than yesterday's AM solution.

          ESET is probably one of them, but I've had better luck since I ditched Avast, and left my life time licensed MBAM solution on board. It turned out Avast was too busy blocking MBAM, and when I finally got rid of it, I found MBAM was doing a better job by itself. It can occasionally trip up undetected malware by simply blocking certain actions by enhancing the Window permissions them selves. I know I have an attack when the screen goes black and a windows error box tells me I don't have the permissions to do what "I'm" supposedly trying to do. I think this is also how MBAM fights ransomware - quite similar to CryptoPrevent, but up to date and not free anymore.

          If anybody knows of a file cleaner that can get rid of LSO's and Zombie files, please let us know, because now CCleaner has been acquired by Avast, and now it nags you with popup ads as well! So it is just a matter of time before malware finds a vulnerability in it too!

  2. Phil O'Sophical Silver badge
    Facepalm

    AntiTrack forcibly downgrading browsers to TLS 1.0

    Really? Do they have any competent security people on their code review team?

    1. matt 83

      How serious is that?

      If the connection between the antitrack proxy and the site was tls1.0 then fine but I thought this was software running on your computer so someone hoping to take advantage of it would have to be able to intercept the internal connection between two bits of software running on the same machine.

      The javascript interpreter running as admin and the failure to check the certs seems much more idiotic than using an internal TLS 1.0 connection (if it really is internal, personally I wouldn't touch Avast or AVG with a 10 foot pole so I'm not 100% sure)

      1. Anonymous Coward
        Anonymous Coward

        AntiTrack acts as a man-in-the-middle between your browser and the site you're connecting to. If that site, or one it uses, is malicious and AntiTrack has downgraded your connection to TLS1.0, you're susceptible to attacks like POODLE.

        1. eldakka Silver badge
          Boffin

          If @Matt 83's explanation is accurate, then it isn't exposing you to POODLE as far as I can tell. For POODLE to work, the communications between the client and across a network (usually through a routing device or at the destination site) have to be downgraded to SSL3 or earlier, with the attack occurring on that part of the comms that is at SSL3.

          For starters, this is downgrading the connection to TLS1, not SSL3, and as @Matt 83 questioned, is the downgrade along the entire client <-> server communications path, or is it only between the local client browser and the local proxy, where the proxy communicates with the destination site via newer TLS versions? e.g.:

          browser <-> TLS1 <-> local (same device as browser) proxy <-> TLS 2+ <-> network

          But we don't have enough information, at least from this article, to know. But even then, POODLE requires SSL3 as far as my brief research has found, and, since no citations on POODLE affecting TLS1 were provided, brief is as far as I'll go.

  3. adam payne

    I remember using Avast back in the day and using a couple of the free skins they had available for it. I also remember recommending it as a decent alternative to the big guys.

    I saw it on a couple of PCs late last year and wow was it bloated and naggy. They have added some much additional stuff to it that is of course all pay for.

    The thing constantly nags you about upgrading to pro or alerts you to a new report about how many infections they stopped worldwide.

    Nowadays wouldn't touch it with someone else's bargepole.

  4. ecofeco Silver badge

    Avast?

    They lost the plot years ago.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like

  • Hangouts hangs up: Google chat app shuts this year
    How many messaging services does this web giant need? It's gotta be over 9,000

    Google is winding down its messaging app Hangouts before it officially shuts in November, the web giant announced on Monday.

    Users of the mobile app will see a pop-up asking them to move their conversations onto Google Chat, which is yet another one of its online services. It can be accessed via Gmail as well as its own standalone application. Next month, conversations in the web version of Hangouts will be ported over to Chat in Gmail. 

    Continue reading
  • It's a crime to use Google Analytics, watchdog tells Italian website
    Because data flows into the United States, not because of that user interface

    Updated Another kicking has been leveled at American tech giants by EU regulators as Italy's data protection authority ruled against transfers of data to the US using Google Analytics.

    The ruling by the Garante was made yesterday as regulators took a close look at a website operator who was using Google Analytics. The regulators found that the site collected all manner of information.

    So far, so normal. Google Analytics is commonly used by websites to analyze traffic. Others exist, but Google's is very much the big beast. It also performs its analysis in the USA, which is what EU regulators have taken exception to. The place is, after all, "a country without an adequate level of data protection," according to the regulator.

    Continue reading
  • Google to pay $90m to settle lawsuit over anti-competitive behavior on the Play Store
    US developers that qualify could receive more than $200,000

    Google is to pay $90 million to settle a class-action lawsuit with US developers over alleged anti-competitive behavior regarding the Google Play Store.

    Eligible for a share in the $90 million fund are US developers who earned two million dollars or less in annual revenue through Google Play between 2016 and 2021. "A vast majority of US developers who earned revenue through Google Play will be eligible to receive money from this fund," said Google.

    Law firm Hagens Berman announced the settlement this morning, having been one of the first to file a class case. The legal firm was one of four that secured a $100 million settlement from Apple in 2021 for US iOS developers.

    Continue reading
  • End of the road for biz living off free G Suite legacy edition
    Firms accustomed to freebies miffed that web giant's largess doesn't last

    After offering free G Suite apps for more than a decade, Google next week plans to discontinue its legacy service – which hasn't been offered to new customers since 2012 – and force business users to transition to a paid subscription for the service's successor, Google Workspace.

    "For businesses, the G Suite legacy free edition will no longer be available after June 27, 2022," Google explains in its support document. "Your account will be automatically transitioned to a paid Google Workspace subscription where we continue to deliver new capabilities to help businesses transform the way they work."

    Small business owners who have relied on the G Suite legacy free edition aren't thrilled that they will have to pay for Workspace or migrate to a rival like Microsoft, which happens to be actively encouraging defectors. As noted by The New York Times on Monday, the approaching deadline has elicited complaints from small firms that bet on Google's cloud productivity apps in the 2006-2012 period and have enjoyed the lack of billing since then.

    Continue reading
  • I was fired for blowing the whistle on cult's status in Google unit, says contractor
    The internet giant, a doomsday religious sect, and a lawsuit in Silicon Valley

    A former Google video producer has sued the internet giant alleging he was unfairly fired for blowing the whistle on a religious sect that had all but taken over his business unit. 

    The lawsuit demands a jury trial and financial restitution for "religious discrimination, wrongful termination, retaliation and related causes of action." It alleges Peter Lubbers, director of the Google Developer Studio (GDS) film group in which 34-year-old plaintiff Kevin Lloyd worked, is not only a member of The Fellowship of Friends, the exec was influential in growing the studio into a team that, in essence, funneled money back to the fellowship.

    In his complaint [PDF], filed in a California Superior Court in Silicon Valley, Lloyd lays down a case that he was fired for expressing concerns over the fellowship's influence at Google, specifically in the GDS. When these concerns were reported to a manager, Lloyd was told to drop the issue or risk losing his job, it is claimed. 

    Continue reading
  • Google battles bots, puts Workspace admins on alert
    No security alert fatigue here

    Google has added API security tools and Workspace (formerly G-Suite) admin alerts about potentially risky configuration changes such as super admin passwords resets.

    The API capabilities – aptly named "Advanced API Security" – are built on top of Apigee, the API management platform that the web giant bought for $625 million six years ago.

    As API data makes up an increasing amount of internet traffic – Cloudflare says more than 50 percent of all of the traffic it processes is API based, and it's growing twice as fast as traditional web traffic – API security becomes more important to enterprises. Malicious actors can use API calls to bypass network security measures and connect directly to backend systems or launch DDoS attacks.

    Continue reading
  • FTC urged to probe Apple, Google for enabling ‘intense system of surveillance’
    Ad tracking poses a privacy and security risk in post-Roe America, lawmakers warn

    Democrat lawmakers want the FTC to investigate Apple and Google's online ad trackers, which they say amount to unfair and deceptive business practices and pose a privacy and security risk to people using the tech giants' mobile devices.

    US Senators Ron Wyden (D-OR), Elizabeth Warren (D-MA), and Cory Booker (D-NJ) and House Representative Sara Jacobs (D-CA) requested on Friday that the watchdog launch a probe into Apple and Google, hours before the US Supreme Court overturned Roe v. Wade, clearing the way for individual states to ban access to abortions. 

    In the days leading up to the court's action, some of these same lawmakers had also introduced data privacy bills, including a proposal that would make it illegal for data brokers to sell sensitive location and health information of individuals' medical treatment.

    Continue reading
  • Google: How we tackled this iPhone, Android spyware
    Watching people's every move and collecting their info – not on our watch, says web ads giant

    Spyware developed by Italian firm RCS Labs was used to target cellphones in Italy and Kazakhstan — in some cases with an assist from the victims' cellular network providers, according to Google's Threat Analysis Group (TAG).

    RCS Labs customers include law-enforcement agencies worldwide, according to the vendor's website. It's one of more than 30 outfits Google researchers are tracking that sell exploits or surveillance capabilities to government-backed groups. And we're told this particular spyware runs on both iOS and Android phones.

    We understand this particular campaign of espionage involving RCS's spyware was documented last week by Lookout, which dubbed the toolkit "Hermit." We're told it is potentially capable of spying on the victims' chat apps, camera and microphone, contacts book and calendars, browser, and clipboard, and beam that info back to base. It's said that Italian authorities have used this tool in tackling corruption cases, and the Kazakh government has had its hands on it, too.

    Continue reading
  • W3C overrules objections by Google, Mozilla to decentralized identifier spec
    Oh no, he DIDn't

    The World Wide Web Consortium (W3C) has rejected Google's and Mozilla's objections to the Decentralized Identifiers (DID) proposal, clearing the way for the DID specification to be published a W3C Recommendation next month.

    The two tech companies worry that the open-ended nature of the spec will promote chaos through a namespace land rush that encourages a proliferation of non-interoperable method specifications. They also have concerns about the ethics of relying on proof-of-work blockchains to handle DIDs.

    The DID specification describes a way to deploy a globally unique identifier without a centralized authority (eg, Apple for Sign in with Apple) as a verifying entity.

    Continue reading
  • Brave Search leaves beta, offers Goggles for filtering, personalizing results
    Freedom or echo chamber?

    Brave Software, maker of a privacy-oriented browser, on Wednesday said its surging search service has exited beta testing while its Goggles search personalization system has entered beta testing.

    Brave Search, which debuted a year ago, has received 2.5 billion search queries since then, apparently, and based on current monthly totals is expected to handle twice as many over the next year. The search service is available in the Brave browser and in other browsers by visiting search.brave.com.

    "Since launching one year ago, Brave Search has prioritized independence and innovation in order to give users the privacy they deserve," wrote Josep Pujol, chief of search at Brave. "The web is changing, and our incredible growth shows that there is demand for a new player that puts users first."

    Continue reading

Biting the hand that feeds IT © 1998–2022