If a site needs two-factor authentication (such as a one-time password), then the attacker can still hijack a live session by cloning session cookies after the victim logs in." "A remote attacker running a malicious proxy could capture their victim's HTTPS traffic and record credentials for later re-use. "The consequences are hard to overstate," Eade says. Eade says that in the cases of Internet Explorer and Edge, "these are ignored by Avast AntiTrack in favor of much older ciphers, considered weak by today's standards." The third problem is a failure for AntiTrack to honor browser cipher suites or Forward Secrecy, a means to ensure session keys are not compromised.
#AVG ANTI TRACK REVIEW SOFTWARE#
Even if a web server supports TLS 1.2, the software will ignore these settings and make connections to TLS 1.0 websites - and when it comes to browsers that have been configured to only reach websites supporting the higher standard, Avast's software should not ignore such direction. The second security problem outlined by the researcher is how Avast AntiTrack downgrades browser security protocols to TLS 1.0. In these cases, self-signed, malicious certificates may be missed, permitting attackers to launch MiTM attacks.ĬNET: This proposed law to protect child safety could put your security at risk
The first issue has been caused by a failure to check the validity of certificates presented to end servers.
However, a set of three security failures undermined these goals. See also: NordVPN HTTP POST bug exposed customer information, no authentication requiredĪvast's AntiTrack software is designed to block advertising trackers and to prevent "invasive" monitoring of your online habits. Simple steps can make the difference between losing your online accounts or maintaining what is now a precious commodity: Your privacy.ĭisclosed by David Eade on March 9, the security researcher said the security flaw, tracked as CVE-2020-8987, is a certification validation issue that affects Avast AntiTrack before 1.5.1.172 and AVG AntiTrack before 2.0.0.178.Īttackers do not need local access to trigger the vulnerability, and no special software configuration needs to be in place. Cyber security 101: Protect your privacy from hackers, spies, and the government