Pinned toot

I post about technical topics here, especially , , . My other account social.tchncs.de/@WPalant is for German-language non-technical stuff.

This thread is important when it comes to preserving evidence: you cannot rely on the Internet Archive. Companies have ways to remove unwanted information about them, and they often won't hesitate to do that.

twitter.com/VickerySec/status/

The latest email from restates: they only collected so much data in Avast SafePrice and Avast Secure Browser because of a shared code base, the data being discarded on the server. I'm not sure which option makes me more sad: that this statement is a lie or that it is correct.

notified me that they resolved CVE-2019-18894 yesterday. I can confirm the issue being resolved even though the displayed application release date doesn't change. That's good news, I really don't enjoy dropping 0-days...

That's the actual research I was conducting when I hit their privacy issues. It's a bit weird that I kept talking about their data collection practices while the initial security research had to stay secret until the deadline.

Big thanks to @yarlob@twitter.com for the important hint here!

I know that everybody is tired of me talking about but this time it's a beefy RCE vulnerability. Avast Secure Browser could be trivially taken over by any website, allowing even execution of arbitrary OS commands.

palant.de/2020/01/13/pwning-av

Unfortunately, further communication here is muddying the waters. It now seems that doesn't give up on sharing data with after all, merely making it an opt-in thing for users of the free antivirus app. Still a lot better than before but not the same thing.

I rewrote parts of this article based on information provided by . If Avast indeed gave up on monetizing data from extensions, this changes the situation considerably.

palant.de/2020/01/08/avast-com

Got an email from Avast with some clarifications. In particular: "we completely discontinued the practice of using any data from the browser extensions for any other purpose than the core security engine." This is huge! Asked a few followup questions, will update blog post soon.

I finished analyzing updates to Avast Online Security extension. It is indeed far more privacy friendly now and properly respecting user's choices. Quite surprising development given how they denied anything being wrong with it.

palant.de/2020/01/08/avast-com

But internally that setting exists on Chrome as well, presumably it's synced to the application's "data sharing" setting. The default here is now sending a limited set of data. If application is installed and data sharing allowed there, it will send everything like before.

So Avast Online Security for Firefox is now indeed only sending minimal data, essentially only full URL and extension version. This is regardless of the settings.

The Chrome extension is quite different. No consent screen here and no "share data with Jumpshot" setting.

Interestingly, the amount of data being sent in practice for me has been reduced considerably - it's actually quite acceptable now. That's regardless of whether data sharing with Jumpshot is allowed. But the code looks the same, I'll need to figure out what really changed here.

So when data sharing with Jumpshot isn't allowed, the requests will have an additional "dnl" flag set. Presumably, Avast will consider it on the server side and make sure that data isn't shared with Jumpshot. Some requests won't be sent, I'm not entirely sure which ones however.

Interesting fact: the setting was only renamed in English, all other languages still use the old wording. These languages are better off than before however, original setting name was something like "Allow data sharing" there.

Comparing the code some more, it seems that the code syncing "data sharing" setting in the application and "communityIQ" setting in the extension was already there before. Clearly, it doesn't affect the data sent, question is what it actually does...

Wait, there is more after all. The setting called "Allow usage data to be shared with 3rd parties for analytics" is now called "Allow usage data to be shared with Jumpshot for analytics." If I understood correctly, this considers the data sharing setting of the application now.

And of course nothing changes about selling this data via . Because, and that is 's official position, all the data is anonymized (or do they mean pseudonymized?) so this is absolutely unproblematic. 🙈🙉🙊

There is a far more usable privacy policy however, linked from the consent screen as well. But the tenor is obviously: this is all required functionality, take it or we won't protect you. addons.mozilla.org/addon/avast

Ok, so far it seems that the technical changes in Firefox are limited to a consent page. If you disagree the extension won't do anything and suggest that you uninstall. If you agree the same data is transmitted as before (minus page title).

Done polishing the article on vulnerabilities (to be published next Monday), now I can finally look into how Avast addressed the privacy issues reported earlier.

Show more
Infosec Exchange

A Mastodon instance for info/cyber security-minded people.