Avast user PCs opened for Man-in-the-Middle (MiTM) threats, user session hijack, and data theft have exposed a loophole affecting Avast and AVG AntiTrack privacy tools.
Attackers do not need local access to trigger the vulnerability, and there needs to be no particular software configuration.
The app AntiTrack from Avast intends to block ads trackers and avoid “invasive” web monitoring of your behaviors. However, a series of three weaknesses in defense compromised these objectives.
The first question was a failure to check the authenticity of certificates given to end servers. In such cases, malicious certificates that enable attackers to launch MiTM attacks may be missed.
Avast AntiTrack’s second security problem is how to update application security protocols to TLS 1.0. Even if a web server accepts TLS 1.2, the app would disregard these instructions and make connections with the TLS 1.0 websites–and Avast’s software should not follow these guidelines when it comes to browsers are only designed for sites following a higher standard.
The third problem is that AntiTrack does not support client cipher suites or forward confidentiality, so session keys are not impaired. Eade claims in Internet Explorer and Edge instances, “these are ignored by Avast AntiTrack in favor of much older ciphers, considered weak by today’s standards.”
“The consequences are hard to overstate,” Eade says. “A remote attacker running a malicious proxy could capture their victim’s HTTPS traffic and record credentials for later re-use. If a site needs two-factor authentication (such as a one-time password), then the attacker can still hijack a live session by cloning session cookies after the victim logs in.”
On August 7, 2019, Eade announced the security problems to Avast. After a few months, the bugs were fixed internally, but a general fix for both Avast and AVG AntiTrack had only released on March 9, 2020, both of whom have the same core technology.
Avast thanked the investigator for his observations that Avast AntiTrack versions 18.104.22.168 and AVG AntiTrack update 22.214.171.124 have now fixed the bug. The fix has soon shared with consumers.