Security expert David Eade has discovered a vulnerability (CVE-2020-8987) in Avast and AVG AntiTrack privacy software that could expose end-users to Man-in-The-Middle (MiTM) attacks, browser session hijack, with consequent exposure of sensitive data.
“A remote attacker running a malicious proxy could capture their victim’s HTTPS traffic and
The vulnerability was disclosed by the expert on March 9, it is classified as a certification validation issue that affects Avast AntiTrack before 220.127.116.11 and AVG AntiTrack before 18.104.22.168.
The Avast’s AntiTrack is advertised as a solution to block advertising trackers and to prevent monitoring of users’ online activities.
The expert found several issues in the application, but first of all let understand how the software works.
During installation, the Avast Antitrack adds the “AvastAntiTrack 2” certificate to the Windows “Trusted Root Certification Authorities” store.
Then the software proxies users’ traffic to HTTPS sites and presents the browser with a freshly minted certificate of its own for each site visited. Even if the browser displays a secure padlock icon, the traffic is not secured to the end web server.
The first issue found by the expert is that the application fails to check the validity of certificates presented to end servers, this means that an attacker could use self-signed, malicious certificates to launch MiTM attacks.
The second security issue disclosed by Eade ties the was Avast AntiTrack downgrades browser security protocols to TLS 1.0. This means that if a web server supports TLS 1.2, the software will establish a connection to TLS 1.0 websites.
“Internet Explorer and Edge can be configured to use only TLS 1.2 or higher.
The third issue is a failure for AntiTrack to honor browser cipher suites or Forward Secrecy.
“Microsoft periodically updates the cipher suites available