Avast anti-tracking system actually exposed users

AntiTrack privacy feature was meant to protect users

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

A privacy feature found in antivirus software from Avast and AVG was actually exposing their data, new research has found.

AntiTrack was designed to strip tracking cookies and scripts from websites sousers can browse the internet anonymously without being tracked.

It was included in both Avast and AVG products, with Avast AntiTrack version older than 1.5.1.172 and AVTG AntiTrack version 2.0.0.178 or older all affected.

Insecure browsing

The vulnerability, listed as CVE-2020-8987, was found by web researcher David Eade who identified and reported the findings to Avast.

He found that AntiTrack does not verify the authenticity of certificates presented by a website, meaning hackers could easily gain entry via Man in The Middle (MiTM) attacks, allowing them to hijack browser sessions and steal data.

Hackers do not even need local access or any special software to trigger this vulnerability, Eade noted.

The fact that AntiTrack ignores higher security protocols and downgrades the protocols to TLS 1.0 even if the server supports TLS 1.2 is another serious flaw found in the program, making the system vulnerable to more security issues.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

It is also reported that AntiTrack does not honor the secured browser encryption suites in favour of weak and old encryption standards.

“A remote attacker running a malicious proxy could capture their victim’s HTTPS traffic and record credentials for later re-use,” Eade said.

He further added, “If a site needs two-factor authentication (such as a one-time password), then the attacker can still hijack a live session by cloning session cookies after the victim logs in.”

Both vulnerabilities were identified in August 2019, however a security patch was only releasedfor both Avast and AVG AntiTrack this week on March 9. Avast thanked Eade ina blog post, saying that the issues were all now fixed.

Via:ZDNet

Jitendra has been working in the Internet Industry for the last 7 years now and has written about a wide range of topics including gadgets, smartphones, reviews, games, software, apps, deep tech, AI, and consumer electronics.

A new form of macOS malware is being used by devious North Korean hackers

Scammers are using fake copyright infringement claims to hack businesses

England vs Australia live stream: how to watch 2024 rugby union Autumn International online from anywhere