It has been a while since I’ve written about Avast, so today I give you “How insecure is Avast Secure Browser?”

https://palant.info/2024/07/15/how-insecure-is-avast-secure-browser/

Note: This isn’t a vulnerability disclosure, merely an overview of problematic design decisions.

TL;DR from the article: I wouldn’t run Avast Secure Browser on any real operating system, only inside a virtual machine containing no data whatsoever.

Some highlights:

• Eleven pre-installed browser extensions but only two visible to users.
• Two extensions unnecessarily relax Content-Security-Policy protection.
• One of these two extensions also requesting all privileges possible, despite not actually using them.
• Two extensions accept messages from any other extension and any Avast website, the latter without enforcing HTTPS connections.
• One of these extensions, Privacy Guard (sic!), will expose information about your browser’s tabs via that messaging interface and provide updates as you browse the web.
• The “onboarding” experience is designed as an extremely flexible way to nag you into using products that benefit Avast financially.
• To make this “onboarding” work, the browser exposes internal APIs to a number of Avast domains that a huge number of third parties can put content on. Not only can each of these third parties abuse this access, a single XSS vulnerability will extend the access to any website on the internet (no effective CSP protection).

Enjoy!

#avast #avg #avira #ccleaner #securebrowser #infosec

How insecure is Avast Secure Browser?

Another look into Avast Secure Browser shows a massive attack surface, with some issues mentioned five years ago only partially addressed, all while new ways to attack the browser have been added.

^{Almost Secure}