Avast AntiTrack certificate bug allowed others to snoop on your online activities

The vulnerability opened up PCs to browser hijacking and more.
Written by Charlie Osborne, Contributing Writer

A vulnerability impacting Avast and AVG AntiTrack privacy software opened up user PCs to Man-in-The-Middle (MiTM) attacks, browser session hijack, and data theft. 

Disclosed by David Eade on March 9, the security researcher said the security flaw, tracked as CVE-2020-8987, is a certification validation issue that affects Avast AntiTrack before and AVG AntiTrack before 

Attackers do not need local access to trigger the vulnerability, and no special software configuration needs to be in place. 

See also: NordVPN HTTP POST bug exposed customer information, no authentication required

Avast's AntiTrack software is designed to block advertising trackers and to prevent "invasive" monitoring of your online habits. However, a set of three security failures undermined these goals. 

The first issue has been caused by a failure to check the validity of certificates presented to end servers. In these cases, self-signed, malicious certificates may be missed, permitting attackers to launch MiTM attacks. 

CNET: This proposed law to protect child safety could put your security at risk

The second security problem outlined by the researcher is how Avast AntiTrack downgrades browser security protocols to TLS 1.0. Even if a web server supports TLS 1.2, the software will ignore these settings and make connections to TLS 1.0 websites -- and when it comes to browsers that have been configured to only reach websites supporting the higher standard, Avast's software should not ignore such direction.

The third problem is a failure for AntiTrack to honor browser cipher suites or Forward Secrecy, a means to ensure session keys are not compromised. Eade says that in the cases of Internet Explorer and Edge, "these are ignored by Avast AntiTrack in favor of much older ciphers, considered weak by today's standards."

"The consequences are hard to overstate," Eade says. "A remote attacker running a malicious proxy could capture their victim's HTTPS traffic and record credentials for later re-use. If a site needs two-factor authentication (such as a one-time password), then the attacker can still hijack a live session by cloning session cookies after the victim logs in."

TechRepublic: Cyberattackers are delivering malware by using links from whitelisted sites

Eade disclosed the security problems to Avast on August 7, 2019. After several months, the vulnerabilities were dealt with internally, but it was not until 9 March 2020 that a public patch had been deployed for both Avast and AVG AntiTrack, both of which share a similar core code. 

Avast thanked the researcher for his findings, saying that the vulnerability has now been patched in Avast AntiTrack version and AVG AntiTrack version The update has now been pushed out to users. 

Europol’s top hacking ring takedowns

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards