Bugs in Avast AntiTrack expose users to cyber attacks

A flaw in the impacting Avast and AVG AntiTrack privacy software could expose users to browser hijacking and Man-in-The-Middle (MiTM) attacks.

Security expert David Eade has discovered a vulnerability (CVE-2020-8987) in Avast and AVG AntiTrack privacy software that could expose end-users to Man-in-The-Middle (MiTM) attacks, browser session hijack, with consequent exposure of sensitive data.

“A remote attacker running a malicious proxy could capture their victim’s HTTPS traffic and record credentials for later re-use. If a site needs two factor authentication (such as a one-time password), then the attacker can still hijack a live session by cloning session cookies after the victim logs in.” reads the advisory published by Eade.

The vulnerability was disclosed by the expert on March 9, it is classified as a certification validation issue that affects Avast AntiTrack before and AVG AntiTrack before 

The Avast’s AntiTrack is advertised as a solution to block advertising trackers and to prevent monitoring of users’ online activities.

The expert found several issues in the application, but first of all let understand how the software works.

During installation, the Avast Antitrack adds the “AvastAntiTrack 2” certificate to the Windows “Trusted Root Certification Authorities” store.

Then the software proxies users’ traffic to HTTPS sites and presents the browser with a freshly minted certificate of its own for each site visited. Even if the browser displays a secure padlock icon, the traffic is not secured to the end web server.

The first issue found by the expert is that the application fails to check the validity of certificates presented to end servers, this means that an attacker could use self-signed, malicious certificates to launch MiTM attacks. 

The second security issue disclosed by Eade ties the was Avast AntiTrack downgrades browser security protocols to TLS 1.0. This means that if a web server supports TLS 1.2, the software will establish a connection to TLS 1.0 websites.

“Internet Explorer and Edge can be configured to use only TLS 1.2 or higher. Ordinarily this should mean these browser cannot reach websites using lower versions of TLS. However, Avast Antitrack ignores this setting and makes connections with TLS 1.0 regardless (if the web server supports it), even if the web server supports TLS 1.2 too.” continues the advisory.

The third issue is a failure for AntiTrack to honor browser cipher suites or Forward Secrecy.

“Microsoft periodically updates the cipher suites available to Internet Explorer and Edge. These are ignored by Avast Antitrack in favour of much older ciphers, considered weak by today’s standards.” continues the experts.

The issues were disclosed to Avast on August 7, 2019, AVG Antitrack released on 9 March 2020.

window._mNHandle = window._mNHandle || {};
window._mNHandle.queue = window._mNHandle.queue || [];
medianet_versionId = “3121199”;

try {
window._mNHandle.queue.push(function () {
window._mNDetails.loadTag(“762221962”, “300×250”, “762221962”);
catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Avast)

The post Bugs in Avast AntiTrack expose users to cyber attacks appeared first on Security Affairs.