#securebrowser — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #securebrowser, aggregated by home.social.
-
It has been a while since I’ve written about Avast, so today I give you “How insecure is Avast Secure Browser?”
https://palant.info/2024/07/15/how-insecure-is-avast-secure-browser/
Note: This isn’t a vulnerability disclosure, merely an overview of problematic design decisions.
TL;DR from the article: I wouldn’t run Avast Secure Browser on any real operating system, only inside a virtual machine containing no data whatsoever.
Some highlights:
- Eleven pre-installed browser extensions but only two visible to users.
- Two extensions unnecessarily relax Content-Security-Policy protection.
- One of these two extensions also requesting all privileges possible, despite not actually using them.
- Two extensions accept messages from any other extension and any Avast website, the latter without enforcing HTTPS connections.
- One of these extensions, Privacy Guard (sic!), will expose information about your browser’s tabs via that messaging interface and provide updates as you browse the web.
- The “onboarding” experience is designed as an extremely flexible way to nag you into using products that benefit Avast financially.
- To make this “onboarding” work, the browser exposes internal APIs to a number of Avast domains that a huge number of third parties can put content on. Not only can each of these third parties abuse this access, a single XSS vulnerability will extend the access to any website on the internet (no effective CSP protection).
Enjoy!