back to article Avast's AntiTrack promised to protect your privacy. Instead, it opened you to miscreant-in-the-middle snooping

You'd think HTTPS certificate checking would be a cinch for a computer security toolkit – but no so for Avast's AntiTrack privacy tool. Web researcher David Eade found and reported CVE-2020-8987 to Avast: this is a trio of blunders that, when combined, can be exploited by a snooper to silently intercept and tamper with an …

  1. IGotOut


    No better than the spyware it is supposed to stop.

    So much so, Mozilla kicked them out before Christmas.

    1. Def Silver badge

      Re: Avast

      I kicked them off my systems years ago. Shortly after they became bloaty and naggy.

    2. Chris G Silver badge

      Re: Avast

      They are just a sales outfit nowadays, trading on the fact that they used to be a top player.

      Download any Avast/AVG software and you will have nagware al day long, trying to sell you more of their crap.

      Salesmen and beancounters can't write security software.

      1. Truth4u

        Maybe they were a top player 15 years ago but Microsoft Security Essentials has been around for 11 years now, and all the sensible analysts saw the writing on the wall and switched around 10 years ago.

        Now Microsoft call it something else, but the point is that their AV was designed from the ground up not to subvert the Windows API while AVG was designed from the ground up to subvert the Windows API. 15 years ago, that was the only option, but it was never a good option.

        If you don't reevaluate your security measures periodically, you can't know that they are still any good.

        1. JCitizen


          It is a sad fact they took the bloated universial fits all cr@pware road, so many formerly good AV utilities did - but I finally trashed it over a year ago when it failed to detect a major drive by attack I got from a infected malvertisement. Sad thing is Essentials or Windows Defender is all we got if we are poor now. But I guess it depends on how you look at it. Almost none of today's competent malware is detectable anyway, so you will have to pay through the nose and get an anti-malware that uses differant tactics than yesterday's AM solution.

          ESET is probably one of them, but I've had better luck since I ditched Avast, and left my life time licensed MBAM solution on board. It turned out Avast was too busy blocking MBAM, and when I finally got rid of it, I found MBAM was doing a better job by itself. It can occasionally trip up undetected malware by simply blocking certain actions by enhancing the Window permissions them selves. I know I have an attack when the screen goes black and a windows error box tells me I don't have the permissions to do what "I'm" supposedly trying to do. I think this is also how MBAM fights ransomware - quite similar to CryptoPrevent, but up to date and not free anymore.

          If anybody knows of a file cleaner that can get rid of LSO's and Zombie files, please let us know, because now CCleaner has been acquired by Avast, and now it nags you with popup ads as well! So it is just a matter of time before malware finds a vulnerability in it too!

  2. Phil O'Sophical Silver badge

    AntiTrack forcibly downgrading browsers to TLS 1.0

    Really? Do they have any competent security people on their code review team?

    1. matt 83

      How serious is that?

      If the connection between the antitrack proxy and the site was tls1.0 then fine but I thought this was software running on your computer so someone hoping to take advantage of it would have to be able to intercept the internal connection between two bits of software running on the same machine.

      The javascript interpreter running as admin and the failure to check the certs seems much more idiotic than using an internal TLS 1.0 connection (if it really is internal, personally I wouldn't touch Avast or AVG with a 10 foot pole so I'm not 100% sure)

      1. Anonymous Coward
        Anonymous Coward

        AntiTrack acts as a man-in-the-middle between your browser and the site you're connecting to. If that site, or one it uses, is malicious and AntiTrack has downgraded your connection to TLS1.0, you're susceptible to attacks like POODLE.

        1. eldakka Silver badge

          If @Matt 83's explanation is accurate, then it isn't exposing you to POODLE as far as I can tell. For POODLE to work, the communications between the client and across a network (usually through a routing device or at the destination site) have to be downgraded to SSL3 or earlier, with the attack occurring on that part of the comms that is at SSL3.

          For starters, this is downgrading the connection to TLS1, not SSL3, and as @Matt 83 questioned, is the downgrade along the entire client <-> server communications path, or is it only between the local client browser and the local proxy, where the proxy communicates with the destination site via newer TLS versions? e.g.:

          browser <-> TLS1 <-> local (same device as browser) proxy <-> TLS 2+ <-> network

          But we don't have enough information, at least from this article, to know. But even then, POODLE requires SSL3 as far as my brief research has found, and, since no citations on POODLE affecting TLS1 were provided, brief is as far as I'll go.

  3. adam payne Silver badge

    I remember using Avast back in the day and using a couple of the free skins they had available for it. I also remember recommending it as a decent alternative to the big guys.

    I saw it on a couple of PCs late last year and wow was it bloated and naggy. They have added some much additional stuff to it that is of course all pay for.

    The thing constantly nags you about upgrading to pro or alerts you to a new report about how many infections they stopped worldwide.

    Nowadays wouldn't touch it with someone else's bargepole.

  4. ecofeco Silver badge


    They lost the plot years ago.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020