Serious security vulnerabilities have been discovered in Avast’s Antitrack and AVG Antitrack tools. Exploiting the flaws could expose users to MiTM attacks whilst downgrading browsers’ security.
Avast AntiTrack Certificate Vulnerability
Reportedly, researcher David Eade found numerous security vulnerabilities in the Avast Antitrack tool. One of these is a vulnerability in certificate validation feature that could have allowed man-in-the-middle (MiTM) attacks.
Elaborating his findings in a post, the researcher stated,
Avast Antitrack does not check the validity of certificates presented by the end web server. This makes it trivial for a man-in-the-middle to serve a fake site using a self-signed certificate.
An attacker could not only intercept the victim’s traffic but could also hijack live sessions by cloning cookies, thus bypassing two-factor authentication as well. Exploiting this bug required no user interaction, hence becoming entirely possible for a remote attacker.
The researcher also noticed two other issues with the same tool. At first, it downgraded the browser’s security protocol to TLS 1.0. Then, the chosen cipher suites by the tool did not support Forward Secrecy.
Patches Rolled Out
The researcher found the said issues in the Avast Antitrack tool. However, since it shares codes with AVG Antitrack as well, the same vulnerabilities also applied to the latter.
Specifically, the bugs affected all Avast Antitrack versions prior to 1.5.1.172, and AVG Antitrack versions below 2.0.0.178.
Upon discovering the flaws in August 2019, the researcher contacted Avast to report the matter. After continued communication in the following months, the vendors eventually patched the flaws. At first, they released Avast Antitrack 1.5.1.172, and then AVG Antitrack 2.0.0.178 containing the patches.
Avast has confirmed the existence and subsequent patching of the vulnerabilities whilst acknowledging the researcher in a separate advisory. As stated,
Thanks to David for reporting these issues to us, the issues have been fixed, through an update pushed to all AntiTrack users.
Let us know your thoughts in the comments.