AVG's tool to ward off malware put millions of people's data at risk

It has emerged that AVG's Web TuneUP, a popular tool meant to ward off malware, contained a flaw that put millions of people's personal data at risk, BBC reported.

AVG's Web TuneUp software is touted as a free way for users to defend themselves from "hidden threats".

However, earlier this month Google's security team found that it was overriding safety features built into the search firm's Chrome browser.

Though according to AVG, it had addressed the problem, it now faced repercussions.

The issue was first flagged by Google's Tavis Ormandy to other members of his Project Zero team on 15 December.

He pointed out that the Web TuneUp was "force installing" a plug-in into Chrome, meaning that users of the product had no way to opt out of it altering the browser's settings.

Consequently, he said, people's internet history and other personal data could be seen by others if they knew where to look online. He further added that the code could potentially let hackers spy on people's email and other online activities.

On 15 December he wrote to the Amsterdam-based cybersecurity firm:

"Apologies for my harsh tone, but I'm really not thrilled about this trash being installed for Chrome users," he wrote.

"My concern is that your security software is disabling web security for nine million Chrome users, apparently so that you can hijack search settings and the new tab page.

"I hope the severity of this issue is clear to you, fixing it should be your highest priority."

The exchange of communication between the two firms revealed that AVG's attempt to address the issue did not meet with success.

But on Tuesday, Ormandy confirmed the issue had been resolved thanks to a new version of the plug-in.

AVG confirmed the development in a statement.

"We thank the Google Security Research Team for making us aware of the vulnerability with the Web TuneUp optional Chrome extension," it said.

"The vulnerability has been fixed; the fixed version has been published and automatically updated to users."

AVG's plug was still available from Chrome's web store, however, the firm cannot auto-install it to new users.

"Inline installations are disabled while the CWS [Chrome Web Store] team investigate possible policy violations," he wrote.