Avast AntiTrack certificate errors make it possible for others to spy on your online activities

시간: Apr. 2, 2020

A vulnerability impacting Avast and AVG AntiTrack privacy software opened up user PCs to Man-in-The-Middle attacks, browser session hijack, and data theft.

Disclosed by David Eade on March 9, the security researcher said the security flaw, tracked as CVE-2020-8987, is a certification validation issue that affects Avast AntiTrack before 1.5.1.172 and AVG AntiTrack before 2.0.0.178.

Attackers do not need local access to trigger the vulnerability, and no special software configuration needs to be in place.

Avast's AntiTrack software is designed to block advertising trackers and to prevent "invasive" monitoring of your online habits. However, a set of three security failures undermined these goals.

The first issue has been caused by a failure to check the validity of certificates presented to end servers. In these cases, self-signed, malicious certificates may be missed, permitting attackers to launch MiTM attacks.

The second security problem outlined by the researcher is how Avast AntiTrack downgrades browser security protocols to TLS 1.0. Even if a web server supports TLS 1.2, the software will ignore these settings and make connections to TLS 1.0 websites -- and when it comes to browsers that have been configured to only reach websites supporting the higher standard, Avast's software should not ignore such direction.

The third problem is a failure for AntiTrack to honor browser cipher suites or Forward Secrecy, a means to ensure session keys are not compromised.

Eade disclosed the security problems to Avast on August 7, 2019. After several months, the vulnerabilities were dealt with internally, but it was not until 9 March 2020 that a public patch had been deployed for both Avast and AVG AntiTrack, both of which share a similar core code.

Avast thanked the researcher for his findings, saying that the vulnerability has now been patched in Avast AntiTrack version 1.5.1.172 and AVG AntiTrack version 2.0.0.178. The update has now been pushed out to users.

최근 뉴스: INSTALL SONOFF WIFI switch

다음 뉴스: Bitdefender reveals Mandrake spyware targeting Australian Android users

이메일 주소
비밀번호

회원가입하여 회원이 되세요

Caps Lock이 활성화되었습니다
로그인 상태 유지

비밀번호를 잊으셨나요?

아직 가입하지 않으셨나요? 지금 가입하세요

타사 계정으로 로그인:

facebook
google
Twitch
Youtube

이메일 주소 *(Used To Receive Key)

유효한 이메일을 입력하세요.
비밀번호*

6~16자의 문자, 숫자, 특수 문자.
비밀번호 확인*
이름* 성*
팁
increase-you_must_accept_bzfuture
읽고 동의했습니다.

서비스 약관 & 개인정보 보호정책

bzfuture의 할인 혜택, 이벤트 및 뉴스레터를 구독하세요.

이미 bzfuture 계정이 있으신가요? 지금 로그인하세요

타사 계정으로 로그인

facebook
google
Twitch
Youtube

휴대전화*

Please enter a valid mobile phone.
인증 코드*

인증코드 받기

The code will be invalid in 5 minutes
비밀번호*

5 to 16 letters, numbers, and special characters.
비밀번호 확인*
비밀번호는 비워둘 수 없습니다.
읽고 동의했습니다.

서비스 약관 & 개인정보 보호정책

bzfuture의 할인 혜택, 이벤트 및 뉴스레터를 구독하세요.

아직 가입하지 않으셨나요? 지금 가입하세요

프롬프트:

increase-the_programe_has_been_successfully

프롬프트:

increase-the_programe_has_been_successfully

프롬프트:

시스템이 부하상태입니다. 잠시만 기다려주세요

환영합니다. ! bzfuture 회원으로 성공적으로 가입했습니다.

돌아가다 사용자 센터

장바구니에 새 항목이 추가되었습니다.

Avast AntiTrack certificate errors make it possible for others to spy on your online activities

닫기bzfuture에 오신 것을 환영합니다. 로그인하세요.

아직 가입하지 않으셨나요? 지금 가입하세요

타사 계정으로 로그인:

닫기bzfuture에 오신 것을 환영합니다. 가입하세요.

이미 bzfuture 계정이 있으신가요? 지금 로그인하세요

타사 계정으로 로그인

아직 가입하지 않으셨나요? 지금 가입하세요

닫기

닫기

닫기

닫기등록 성공

닫기보안인증