Avast Secure Browser = Spyware. Another reason not to trust AVAST or AVG (same company). ESET is a much better alternative.


Mozilla locks nosy Avast, AVG extensions out of Firefox store amid row over web privacy

Add-ons accused of slurping every URL netizens visit

The Firefox extensions built by Avast have been pulled from the open-source browser’s online add-on store over privacy fears….The problem, as Palant has been documenting on his blog for some time, is that the extensions – which offer to do things like prevent malware infections and phishing – may go well beyond their needed level of access to user information to do their advertised functions.

According to Palant, the Avast extensions, when installed in your browser, track the URL and title of every webpage you visit, and how you got to that page, along with a per-user identifier and details about your operating system and browser version, plus other metadata, and then transmit all that info back to Avast’s backend servers. The user identifier is not always sent, according to Palant: it may not be disclosed if you have Avast Antivirus installed.

The rub seems to be that Avast says it needs this personal data to detect dodgy and fraudulent websites, while Palant argues the company goes too far and wanders into spyware territory. While Avast’s explanation is plausible, there are much better and safer ways to check visited pages for nastiness, typically involving cryptographic hashes of URLs, than firing off all visited web addresses to an Avast server, we note.

Palant also accused the Avast SafePrice and AVG SafePrice extensions of similarly harvesting people’s information: SafePrice checks you’re getting a good deal when shopping online.

He pointed out that AVG bought a company called Jumpshot in 2013, three years before AVG was acquired by Avast, that touts “clickstream data” that includes “100 million global online shoppers and 20 million global app users. Analyze it however you want: track what users searched for, how they interacted with a particular brand or product, and what they bought. Look into any category, country, or domain” – which sounds a lot like the data the Avast and AVG extensions collect.

What data is being collected?

The interesting fields were:

Field Contents
uri The full address of the page you are on.
title Page title if available.
referer Address of the page that you got here from, if any.
Identifier of the window and tab that the page loaded into.
How exactly you got to the page, e.g. by entering the address directly, using a bookmark or clicking a link.
visited Whether you visited this page before.
locale Your country code, which seems to be guessed from the browser locale. This will be “US” for US English.
userid A unique user identifier generated by the extension (the one visible twice in the screenshot above, starting with “d916”). For some reason this one wasn’t set for me when Avast Antivirus was installed.
plugin_guid Seems to be another unique user identifier, the one starting with “ceda” in the screenshot above. Also not set for me when Avast Antivirus was installed.
Type (e.g. Chrome or Firefox) and version number of your browser.
Your operating system and exact version number (the latter only known to the extension if Avast Antivirus is installed).

And that’s merely the fields which were set. The data structure also contains fields for your IP address and a hardware identifier but in my tests these stayed unused. It also seems that for paying Avast customers the identifier of the Avast account would be transmitted as well. (Source: Palante)

Palant, meanwhile, is now hoping to convince Google to follow Mozilla’s lead and block the Avast add-ons for Chrome and Opera users.

“Google Chrome is where the overwhelming majority of these users are,” the programmer noted. “The only official way to report an extension here is the ‘report abuse’ link. I used that one of course, but previous experience shows that it never has any effect.”

Yep, and Google’s Chrome Browser isn’t a really just a browser, it is an advertising platform that hoovers up all sorts of user private information. Any browser that will not allow the automatic deleteion of private data (including cookies) on exit is a dangerous piece if spyware. The only way to do that with Chrome easily is using a plugin. But we all know Google is in the advertising business and you are the product.