Mozilla removed 4 Avast and AVG extensions for spying on Firefox users

Mozilla has removed four extensions from Avast and AVG from the Firefox site that are suspected to track user activity online.

Four Avast and AVG Firefox extensions have been removed from Mozilla Addons Site over concerns of spying of users.

“This add-on violates Mozilla’s add-on policy by collecting data without user disclosure or consent,” explained Mozilla.

The four extensions developed by Avast and its subsidiary AVG are:

• Avast Online Security
• AVG Online Security
• Avast SafePrice
• AVG SafePrice

Both Avast and AVG Online Security extension alert users to phishing, scam, and malicious sites when a user visits malicious sites. SafePrice extensions display a small bar on e-commerce sites that alert users to better prices at other sites when shopping for certain products.

The popular extensions were found collecting a lot more data on millions of users, including their browsing history. These browser extensions are installed when users install Avast or AVG antivirus solutions on their computers on their PCs.

The suspicious behavior was first detailed by the security researcher Wladimir Palant reported who noted that these extensions were sending a large amount of tracking data about a user’s online activity to the URL https://uib.ff.avast.com/v5/urlinfo. 

“Are you one of the allegedly 400 million users of Avast antivirus products? Then I have bad news for you: you are likely being spied upon. The culprit is the Avast Online Security extension that these products urge you to install in your browser for maximum protection.” reads the report published by Palant.

“But even if you didn’t install Avast Online Security yourself, it doesn’t mean that you aren’t affected. This isn’t obvious but Avast Secure Browser has Avast Online Security installed by default. It is hidden from the extension listing and cannot be uninstalled by regular means, its functionality apparently considered an integral part of the browser.”

Below the list of data sent by the browser extensions to the above URL:

Field	Contents
uri	The full address of the page you are on.
title	Page title if available.
referer	Address of the page that you got here from, if any.
windowNum tabNum	Identifier of the window and tab that the page loaded into.
initiating_user_action windowEvent	How exactly you got to the page, e.g. by entering the address directly, using a bookmark or clicking a link.
visited	Whether you visited this page before.
locale	Your country code, which seems to be guessed from the browser locale. This will be “US” for US English.
userid	A unique user identifier generated by the extension (the one visible twice in the screenshot above, starting with “d916”). For some reason this one wasn’t set for me when Avast Antivirus was installed.
plugin_guid	Seems to be another unique user identifier, the one starting with “ceda” in the screenshot above. Also not set for me when Avast Antivirus was installed.
browserType browserVersion	Type (e.g. Chrome or Firefox) and version number of your browser.
os osVersion	Your operating system and exact version number (the latter only known to the extension if Avast Antivirus is installed).

The above data could be used to spy on users online and discover their habits and preferences.

“Tracking tab and window identifiers as well as your actions allows Avast to create a nearly precise reconstruction of your browsing behavior: how many tabs do you have open, what websites do you visit and when, how much time do you spend reading/watching the contents, what do you click there and when do you switch to another tab.”continues Palant. “All that is connected to a number of attributes allowing Avast to recognize you reliably, even a unique user identifier,”

Palant shared his findings to browser makers, Mozilla, and Google, and the former decided to temporarily remove the extensions from the Firefox Add-on store.

Avast and AVG can resubmit the extensions to the addon store when they will have addressed the privacy issues.

Meantime, the extensions would remain active for users that have already installed them and will continue to collect the above information.

The four extensions are still available on the Google Chrome Web Store.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – browser extensions, privacy)

[adrotate banner=”5″]

[adrotate banner=”13″]