A bug in Avast Anti-Track privacy software allowed MITM attack on HTTPS traffic
A vulnerability found in Avast AntiTrack & AVG AntiTrack could allow attackers to monitor & steal information about your online activities by performing Man-in-The-Middle (MiTM) attacks & session hijacking on browsers.
The security researcher David Eade discovered this security flaw in Avast AntiTrack and AVG AntiTrack [CVE-2020-8987] and reported to Avast on August 7, 2019. The report & fix was publically disclosed on March 9, 2020.
Findings said the affected products are Avast AntiTrack before v1.5.1.172 and AVG AntiTrack before v2.0.0.178
See also: The Good and Bad About Recent Chrome 80 Update
Avast AntiTrack is a privacy software for PCs that protects against unauthorized online tracking. However, the discovery of these 3 security issues in Avast products may have lessened the customer trust –
The first issue was related to the checking of the validity of certificates presented by the end web server resulting in easy MITM attacks:
Here, an attacker could simply serve a fake & malicious site using a self-signed certificate for www.avast.com. In findings, Avast AntiTrack proxy ignores this fake certificate problem and presents its own certificate (even on HTTP traffic, because the Avast certificate has been trusted in the victim’s browser as an entry in Root CA store).
The second issue was related to the browser’s security protocol:
In findings, Eade reported that Avast AntiTrack can downgrade the browser’s security protocol to TLS 1.0. This means even if the browser is configured to only reach websites supporting higher TLS versions, Avast AntiTrack ignores this configuration.
The third issue was related to browser cipher suites:
The researcher also reported that the Avast AntiTrack does not honor Browser cipher suits and chooses much older ciphers which are considered weak by today’s standards.
“The consequences are hard to overstate. A remote attacker running a malicious proxy could capture their victim’s HTTPS traffic and record credentials for later re-use”, says David Eade.
According to Avast, the vulnerability has now been patched and updates are provided to users in the latest versions of Avast AntiTrack and AVG AntiTrack.