We warned you at the beginning of the year that many of your browser extensions are spying on you, tracking what you are visiting, and even inserting ads into pages. These aren’t just no-name developers either: even Avast, one of the most trusted antivirus vendors was in on the game.
The best free price comparison and coupon finder online
Save money with Avast SafePrice, the intelligent, convenient browser extension that will find you the best deals for nearly everything you want. After installing and enabling the plugin, just search for the item you’re looking for on your favorite online store. From there, Avast SafePrice will automatically check every other trustworthy, reputable shopping website and give you a comprehensive list of the best online deals and free coupons. Then, all you have to do is click on the deal you want, and presto, we’ll take you there and you can finish your purchase. Shopping around for a vacation? You can even use Avast SafePrice to find and book world-class deals for hotels when you travel, ensuring you have a comfortable, cost-effective place to rest when you’re far from home. And to top it all off, Avast SafePrice is completely free and unobtrusive, vanishing out of sight when you’re not shopping to cut down on the clutter in your browser. So download Avast SafePrice today, and start shopping smarter, saving money, and making the most of your time online.
The best free price comparison and coupon finder online
Save money with Avast SafePrice, the intelligent, convenient browser extension that will find you the best deals for nearly everything you want. After installing and enabling the plugin, just search for the item you’re looking for on your favorite online store. From there, Avast SafePrice will automatically check every other trustworthy, reputable shopping website and give you a comprehensive list of the best online deals and free coupons. Then, all you have to do is click on the deal you want, and presto, we’ll take you there and you can finish your purchase. Shopping around for a vacation? You can even use Avast SafePrice to find and book world-class deals for hotels when you travel, ensuring you have a comfortable, cost-effective place to rest when you’re far from home. And to top it all off, Avast SafePrice is completely free and unobtrusive, vanishing out of sight when you’re not shopping to cut down on the clutter in your browser. So download Avast SafePrice today, and start shopping smarter, saving money, and making the most of your time online.
Update 2: We just want to point out that this happened in the past, and Avast has cleaned up their act. They have a decent product, and while you can read this for historical purposes, you should know that many of the other antivirus vendors are doing worse things.
Update: Avast has posted a response to our article on their forum. We stand by our article and our research with the exception of one very inconsequential technical detail that we have updated below. The purpose of writing these types of articles isn’t to be vindictive — we just honestly want to make the world a better place for PC users.
Before we go even one step further, it’s important to note that they recently disabled the spying “shopping” feature in their browser extension. So if you are running the latest Chrome with extensions updated, you are fine. For now.
So Avast has stopped integrating the spying extension, but this is about the principle: you should be able to trust your antivirus provider. Why are they adding a feature that spies on your browsing, inserts ads… and all without properly notifying you?
And why, at the same time, are they claiming to stop spyware, even uninstalling other shopping extensions from other vendors, while they were doing the same thing they are supposed to stop?
On our test system, the only spyware and crapware that Avast actually detected and removed were the ones that competed with their own shopping extension.
Avast Online Security Extension Added a “Shopping” Component
About a week ago, we were playing around with installing a lot of nonsense from crapware sites, so we loaded up trusty Avast antivirus to see how much of the malware it would actually catch during the process. We were shocked to find out that some of the adware wasn’t from a third-party, but from Avast itself.
The problem lies in the SafePrice component of their Online Security extension, which adds shopping recommendations (ads) as you are browsing around the web.
Here’s the thing: many people actually want shopping extensions that help them find better prices — in fact, one of the HTG staff writers recently asked me what was the best way to find better prices. As a standalone product, if you specifically and deliberately choose to install something like this, there’s nothing wrong with it.
The problem is that Avast snuck this component in to their browser extensions that have at least 10 million users for the Chrome version alone. And then they enabled it by default.
Note: as we were doing research for this article, they updated their extension to not include the shopping feature, but it was there since maybe around last December.
Spying, You Say?
You might remember earlier how we said that this extension is spying on you and, unlike many websites, we’re definitely not going to make some claim like that without proof of what is really going on. So we loaded up Fiddler to see what’s really going on behind the scenes and under the hood and behind the curtain.
As it turns out, every single URL that you visit was being sent to Avast servers — first there would be a check to /urlinfo on one of their servers, passing in a unique ID that represents you on every single request. In this way they can build a list of every single page you have ever visited. They claim on their web site that they remove all personally identifying information, but how, exactly, are they able to do that when they are tracking every single page you visit and sending back that URL with a unique ID to represent you?
Update: Avast contacted us to point out that the /urlinfo page that we showed in the screenshot is actually part of their security extension, which does make sense. The /offers page, however, is sending back data as well.
That unique tracking ID is the biggest problem here: while it might not identify you by name, it’s enough to tie your whole browsing history together, and that’s a scary thing.
And remember, you didn’t ask for this. You just wanted to keep yourself safe online with a trusted antivirus provider.
The Bottom Line: Browser Extensions Have Wayyyy Too Much Power
RELATED:Warning: Your Browser Extensions Are Spying On You
This behavior, while ridiculous and sad from a company you should trust, isn’t new at all. Almost every product and service on the Internet and almost every browser extension, app, and website, are doing some form of tracking. Here on How-To Geek we use Google Analytics to see our site statistics, and our advertisers probably use a lot of other tracking that we can’t control. And it’s the same with every single web site.
Personal information and big data have become the standard; because after all: if a product is free, the real product is you. If you are browsing and reading a completely free web site, it’s not that big of a deal… after all, sites like ours need to pay our writers, and advertisements are the only way to do that. The problem is when it’s across everything you do.
The problem is that most browser extensions have access to everything you are seeing on the Internet, across every web site. And they aren’t properly disclosing this to you.
So the next time an extension says it can “Read and modify all your data on the websites you visit”, perhaps you should click that “Remove from Chrome” button instead.
READ NEXT
Most antivirus programs–or “security suites”, as they call themselves–want you to install their browser extensions. They promise these toolbars will help keep you safe online, but they usually just exist to make the company some money. Worse yet, these extensions are often hideously vulnerable to attack.
Many antivirus toolbars are, at best, just rebranded Ask Toolbar extensions. They add a toolbar, change your search engine, and give you a new homepage. They may brand it as a “secure” search engine, but it’s really just about making the antivirus company money. But in some cases, they do more than that–and sometimes with unintended consequences.
Example 1: AVG Web TuneUP Broke Chrome’s Security
RELATED:Beware: Free Antivirus Isn’t Really Free Anymore
“AVG Web TuneUP” is installed when you install AVG antivirus. According to the Chrome Web Store, it has nearly 10 million users. AVG’s official description of the extension says it will “warn you of unsafe search results.”
Back in December, Google-employed security researcher Tavis Ormandy discovered that the extension adds a large number of new JavaScript APIs to Chrome when it’s installed and that “many of the APIs are broken.” Aside from exposing your entire browsing history to any website you visit, the extension offered many security holes for websites to easily execute arbitrary code on any computer with the extension installed.
“My concern is that your security software is disabling web security for 9 million Chrome users, apparently so that you can hijack search settings and the new tab page,” he wrote to AVG. “I hope the severity of this issue is clear to you, fixing it should be your highest priority.”
Four days after it was reported, AVG had a patch. As Ormandy wrote: “AVG submitted an extension with a “fix”, but the fix was obviously incorrect.” He had to provide instructions for how to fix this flaw, and AVG issued an updated patch a day later. The fix restricts the functions to two specific AVG domains, but, as Ormandy noted, the websites on those domains have their own flaws that opens users up to attack.
Not only did AVG ship a browser extension with obviously broken, shoddy, insecure code, but AVG’s developers couldn’t even fix the problem without having their hands held by a Google security researcher. Hopefully, the browser extensions are being developed by a different team and the real experts are working on the antivirus software itself–but that’s a good example of how those antivirus browser extensions can go from useless to harmful.
Example 2: McAfee and Norton Don’t Think Microsoft Edge Is Secure (Because It Doesn’t Support Their Add-On)
If you’ve been following the development of Microsoft Edge for Windows 10, you’ll know that it’s supposed to be a more secure web browser than Internet Explorer. It runs in a sandbox and abandons support for old, insecure plug-in technologies like ActiveX. It has a more streamlined codebase and a variety of other improvements, such as protection against “binary injection,” where other programs inject code into the Microsoft Edge process.
And yet, McAfee–which is even installed by default on many new Windows 10 PCs–really doesn’t want you to use Microsoft Edge. Instead, McAfee recommends you use Internet Explorer, and will helpfully remove Edge from your taskbar and pin Internet Explorer there if you let it. All so you can keep using the McAfee browser extension.
Even if that browser extension helped keep you secure a little bit–something we don’t really believe–you’d be much better off with the improved security in Microsoft Edge. Norton does something similar, recommending you use a “supported browser” like Internet Explorer on Windows 10.
Thankfully, Microsoft Edge will soon support Chrome-style browser extensions. And when it does, McAfee and Norton can force their browser extensions on Edge users and stop redirecting them to the old-and-out-of-date-IE.
Example 3: Avast’s Online Security Extension Once Included Ads and Tracking
RELATED:Avast Antivirus Was Spying On You with Adware (Until This Week)
Here’s one we’ve covered before: Avast installs an “Avast! Online Security” browser extension when you install the main security suite, and they later added a feature named “SafePrice” to the extension in an update. This feature was enabled by default, and it displayed online shopping recommendations–in other words, ads that presumably make Avast money when you click them–as you browse.
To do this, it assigned you a unique tracking ID and sent every single web page you visited to Avast’s servers, associated with that unique ID. In other words, Avast tracked all your web browsing and used it to show ads. Thankfully, Avast eventually removed SafePrice from its main browser extension. But antivirus companies clearly see their “security” extensions as an opportunity to dig deep into the browser and show you ads (or “product recommendations”), not just a way to keep you secure.
Avast Safe Price Add-onIt’s Not Just Browser Extensions: You Should Disable Other Browser Integrations, Too
Srsly Avast? If you're gonna mitm chrome's SSL at least get an intern to skim your X.509 parsing before shipping it. pic.twitter.com/1zA1E0qnuo
— Tavis Ormandy (@taviso) September 25, 2015
Extensions are just part of the problem. Any form of browser integration can create security holes. Antivirus programs often want to monitor all your network traffic and inspect it, but they can’t normally see what’s happening inside an encrypted connection, like the one you use to access your email, or bank, or Facebook. After all, that’s the point of encryption–to keep that traffic private. To get around this limitation, some antivirus programs effectively perform a “man-in-the-middle” attack so they can monitor what’s actually going on over an encrypted connection. These work an awful lot like Superfish, replacing certificates with the antivirus’s own. The MalwareBytes blog explained avast!’s behavior here.
This feature is generally just an option in the antivirus program itself, and not part of a browser extension, but it’s worth discussing all the same. For example, Avast’s SSL-interception code contained an easily exploitable security hole that could be used by a malicious server. “At least get an intern to skim your [code] before shipping it,” tweeted Ormandy after discovering the problem. It’s one of those bugs that Avast, a security company, should have caught before shipping it to users.
As he argued in following tweets, this sort of man-in-the-middle code just adds more “attack surface” to the browser, giving malicious sites another way to attack you. Even if the developers of your security program are more careful, features that tamper with your browser are a lot of risk for not much reward. Your browser already contains anti-malware and anti-phishing features, and search engines like Google and Bing already attempt to identify dangerous websites and avoid sending you there.
You Don’t Need These Features, So Disable Them
Excel button to change data on dashbord on computer. Here’s the thing: even barring the above issues, these browser extensions are still unnecessary.
Avast Price List
Most of these antivirus products promise to make you more secure online by blocking bad websites, and identifying bad search results. Car speaker and amplifier matching guide chart. But search engines like Google already do this by default, and phishing and malware page filters are built into Google Chrome, Mozilla Firefox, and Microsoft’s web browsers. Your browser can handle itself.
So whatever antivirus program you use, don’t install the browser extension. If you already installed it or weren’t given a choice (many install their extensions by default), visit the Extensions, Add-ons, or Plug-ins page in your web browser and disable any extensions associated with your security suite. If your antivirus program has some sort of “browser integration” that breaks the way basic SSL encryption is supposed to work, you should probably disable that feature too.
Interestingly enough, Ormandy–who’s found a variety of security holes in many, many different antivirus programs–ends up recommending Microsoft’s Windows Defender, stating that it’s “not a complete mess” and “has a reasonably competent security team.” While Windows Defender certainly has its flaws, at least it doesn’t attempt to insert itself into the browser with these additional features.
Of course, if you want to use a more powerful antivirus program than Windows Defender, you don’t need its browser features to stay secure. So if you download another free antivirus program, be sure to disable its browser features and extensions. Your antivirus can keep you safe from malicious files you might download and attacks on your web browser without those integrations.
READ NEXT
Update 2: We just want to point out that this happened in the past, and Avast has cleaned up their act. They have a decent product, and while you can read this for historical purposes, you should know that many of the other antivirus vendors are doing worse things.
Update: Avast has posted a response to our article on their forum. We stand by our article and our research with the exception of one very inconsequential technical detail that we have updated below. The purpose of writing these types of articles isn’t to be vindictive — we just honestly want to make the world a better place for PC users.
Before we go even one step further, it’s important to note that they recently disabled the spying “shopping” feature in their browser extension. So if you are running the latest Chrome with extensions updated, you are fine. For now.
So Avast has stopped integrating the spying extension, but this is about the principle: you should be able to trust your antivirus provider. Why are they adding a feature that spies on your browsing, inserts ads… and all without properly notifying you?
And why, at the same time, are they claiming to stop spyware, even uninstalling other shopping extensions from other vendors, while they were doing the same thing they are supposed to stop?
On our test system, the only spyware and crapware that Avast actually detected and removed were the ones that competed with their own shopping extension.
Avast Online Security Extension Added a “Shopping” Component
About a week ago, we were playing around with installing a lot of nonsense from crapware sites, so we loaded up trusty Avast antivirus to see how much of the malware it would actually catch during the process. We were shocked to find out that some of the adware wasn’t from a third-party, but from Avast itself.
The problem lies in the SafePrice component of their Online Security extension, which adds shopping recommendations (ads) as you are browsing around the web.
Here’s the thing: many people actually want shopping extensions that help them find better prices — in fact, one of the HTG staff writers recently asked me what was the best way to find better prices. As a standalone product, if you specifically and deliberately choose to install something like this, there’s nothing wrong with it.
The problem is that Avast snuck this component in to their browser extensions that have at least 10 million users for the Chrome version alone. And then they enabled it by default.
Note: as we were doing research for this article, they updated their extension to not include the shopping feature, but it was there since maybe around last December.
Spying, You Say?
You might remember earlier how we said that this extension is spying on you and, unlike many websites, we’re definitely not going to make some claim like that without proof of what is really going on. So we loaded up Fiddler to see what’s really going on behind the scenes and under the hood and behind the curtain.
As it turns out, every single URL that you visit was being sent to Avast servers — first there would be a check to /urlinfo on one of their servers, passing in a unique ID that represents you on every single request. In this way they can build a list of every single page you have ever visited. They claim on their web site that they remove all personally identifying information, but how, exactly, are they able to do that when they are tracking every single page you visit and sending back that URL with a unique ID to represent you?
Update: Avast contacted us to point out that the /urlinfo page that we showed in the screenshot is actually part of their security extension, which does make sense. The /offers page, however, is sending back data as well.
That unique tracking ID is the biggest problem here: while it might not identify you by name, it’s enough to tie your whole browsing history together, and that’s a scary thing.
And remember, you didn’t ask for this. You just wanted to keep yourself safe online with a trusted antivirus provider.
The Bottom Line: Browser Extensions Have Wayyyy Too Much Power
RELATED:Warning: Your Browser Extensions Are Spying On You
This behavior, while ridiculous and sad from a company you should trust, isn’t new at all. Almost every product and service on the Internet and almost every browser extension, app, and website, are doing some form of tracking. Here on How-To Geek we use Google Analytics to see our site statistics, and our advertisers probably use a lot of other tracking that we can’t control. And it’s the same with every single web site.
Personal information and big data have become the standard; because after all: if a product is free, the real product is you. If you are browsing and reading a completely free web site, it’s not that big of a deal… after all, sites like ours need to pay our writers, and advertisements are the only way to do that. The problem is when it’s across everything you do.
The problem is that most browser extensions have access to everything you are seeing on the Internet, across every web site. And they aren’t properly disclosing this to you.
So the next time an extension says it can “Read and modify all your data on the websites you visit”, perhaps you should click that “Remove from Chrome” button instead.
READ NEXT
Comments are closed.
|
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |