Browser extensions can be awesome tools to enhance productivity, security and even online shopping but the unfortunate reality is that these “add-ons” can often be wolves in sheep’s clothing. In some cases, extensions from the Chrome Web Store and other browser shops can carry with them malicious code that purposes themselves to highjack sensitive data, inject malware and adware or even lock down a user’s device. Thankfully, apps of this nature are normally identified and removed from the browser storefronts to be heard from no more.
Sadly, in a data-driven world where aggregating user information equates to money in the bank, there is a rise in the number of browser add-ons that intend not to harm the system but to scrape as much data a possible with the intention of taking said data and selling it to the highest bidder. Companies pay top dollar for demographic information because that’s how they create targeted advertising which results in bigger profits. It happens all the time and even though many users don’t like it, the majority of us are subject to this type of data collection because we submit to it when we surf social media or accept cookies on the countless sites we browse every day. (The next time you’re asked to accept the cookies on a site, take a second to read the disclaimer and you’ll probably see what I’m talking about) Here’s an example:
Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third party advertisers.
But what happens when this data is being taken without consent? Worse yet, what if it’s a trusted application that is actually meant to give users a safer web browsing experience? Well, it appears that this is exactly what’s going on with the very popular security extensions from AVG and Avast. In a blog post from the creator of AdBlock Plus creator Wladimir Palant details the disturbing amount of unnecessary amount of data that the security extensions are gathering from the hundreds of millions that use AVG and Avast on a daily basis.
Sign Up For NordVPN TodayWhen Avast Online Security extension is active, it will request information about your visited websites from an Avast server. In the process, it will transmit data that allows reconstructing your entire web browsing history and much of your browsing behavior. The amount of data being sent goes far beyond what’s necessary for the extension to function, especially if you compare to competing solutions such as Google Safe Browsing.
Wladimir Palant, Creator of Adblock Plus
Not surprisingly, Palant points out that the data scraping has been discovered in AVG and Avast’s SafePrice price comparison tools. Palant goes on to point out that Avast acquired the company Jumpshot in 2013. You may not be familiar with Jumpshot or their product, Clickstream but they’re probably familiar with you. Here’s a tagline from their website.
Incredibly detailed clickstream data from 100 million global online shoppers and 20 million global app users. Analyze it however you want: track what users searched for, how they interacted with a particular brand or product, and what they bought. Look into any category, country, or domain.
Jumpshot
Again, if there is transparency about when and how your browsing data is being used, it’s a non-issue. It’s what makes the web go round. However, we now have a security extension from a company that has been a household name for decades and it’s collecting excess data from its users and it happens to own a massive data aggregation service. I’m not a conspiracy theorist but this looks a little hinky to me.
On the brighter side of things, it appears that Mozilla and Opera have removed all four of the extensions from their add-on stores. To clarify, Avast owns AVG and their online security extensions, as well as their identical named “SmartPrice” tools, are pretty much clones of each other. The bad news here is that Google, despite users reporting abuse, has yet to pull these extensions from the Chrome Web Store. Palant believes that Google refrains from pulling extensions from the store unless they are heavily covered by the press. I don’t know if that’s the case or not but to protect yourself, the best thing that you can do is uninstall these extensions until further notice.
On that note, ZDNet reports that a spokesperson from Avast has stated that they are working to meet Mozilla’s requirements and hope to have the updated extension back in the Firefox add-on store soon.
The Avast Online Security extension is a security tool that protects users online, including from infected websites and phishing attacks,” an Avast spokesperson told ZDNet. “It is necessary for this service to collect the URL history to deliver its expected functionality. Avast does this without collecting or storing a user’s identification.
We have already implemented some of Mozilla’s new requirements and will release further updated versions that are fully compliant and transparent per the new requirements,” the Avast spokesperson said. These will be available as usual on the Mozilla store in the near future.
Avast via ZDNet
At the end of the day, it’s unlikely that Avast and AVG are doing anything that would be harmful to a user’s system but the muddy water around this subject would cause me to take pause before using their security products. Without a distinctly clear intent of use for the data they are collecting, I would tend to err on the side of caution and there are plenty of other options out there to secure the browsing experience that wouldn’t have me concerned about who is buying my personal browsing history. You can read, in detail, what these extensions are doing in Palant’s blog posts here and here. We have reached out to Google for an official statement as it pertains to the Chrome Web Store and will update if and when we receive a response.
Leave a Reply
You must be logged in to post a comment.