Security expert David Eade has discovered a vulnerability (CVE-2020-8987) in Avast and AVG AntiTrack privacy software that could expose end-users to Man-in-The-Middle (MiTM) attacks, browser session hijack, with consequent exposure of sensitive data.
“A remote attacker running a malicious proxy could capture their victim’s HTTPS traffic and
The vulnerability was disclosed by the expert on March 9, it is classified as a certification validation issue that affects Avast AntiTrack before 184.108.40.206 and AVG AntiTrack before 220.127.116.11.
The Avast’s AntiTrack is advertised as a solution to block advertising trackers and to prevent monitoring of users’ online activities.
The expert found several issues in the application, but first of all let understand how the software works.
During installation, the Avast Antitrack adds the “AvastAntiTrack 2” certificate to the Windows “Trusted Root Certification Authorities” store.
Then the software proxies users’ traffic to HTTPS sites and presents the browser with a freshly minted certificate of its own for each site visited. Even if the browser displays a secure padlock icon, the traffic is not secured to the end web server.
The first issue found by the expert is that the application fails to check the validity of certificates presented to end servers, this means that an attacker could use self-signed, malicious certificates to launch MiTM attacks.
The second security issue disclosed by Eade ties the was Avast AntiTrack downgrades browser security protocols to TLS 1.0. This means that if a web server supports TLS 1.2, the software will establish a connection to TLS 1.0 websites.
“Internet Explorer and Edge can be configured to use only TLS 1.2 or higher.
The third issue is a failure for AntiTrack to honor browser cipher suites or Forward Secrecy.
“Microsoft periodically updates the cipher suites available
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.