Follow

Done polishing the article on vulnerabilities (to be published next Monday), now I can finally look into how Avast addressed the privacy issues reported earlier.

Β· Β· Web Β· 1 Β· 0 Β· 0

Ok, so far it seems that the technical changes in Firefox are limited to a consent page. If you disagree the extension won't do anything and suggest that you uninstall. If you agree the same data is transmitted as before (minus page title).

Show thread

There is a far more usable privacy policy however, linked from the consent screen as well. But the tenor is obviously: this is all required functionality, take it or we won't protect you. addons.mozilla.org/addon/avast

Show thread

And of course nothing changes about selling this data via . Because, and that is 's official position, all the data is anonymized (or do they mean pseudonymized?) so this is absolutely unproblematic. πŸ™ˆπŸ™‰πŸ™Š

Show thread

Wait, there is more after all. The setting called "Allow usage data to be shared with 3rd parties for analytics" is now called "Allow usage data to be shared with Jumpshot for analytics." If I understood correctly, this considers the data sharing setting of the application now.

Show thread

Comparing the code some more, it seems that the code syncing "data sharing" setting in the application and "communityIQ" setting in the extension was already there before. Clearly, it doesn't affect the data sent, question is what it actually does...

Show thread

Interesting fact: the setting was only renamed in English, all other languages still use the old wording. These languages are better off than before however, original setting name was something like "Allow data sharing" there.

Show thread

So when data sharing with Jumpshot isn't allowed, the requests will have an additional "dnl" flag set. Presumably, Avast will consider it on the server side and make sure that data isn't shared with Jumpshot. Some requests won't be sent, I'm not entirely sure which ones however.

Show thread

Interestingly, the amount of data being sent in practice for me has been reduced considerably - it's actually quite acceptable now. That's regardless of whether data sharing with Jumpshot is allowed. But the code looks the same, I'll need to figure out what really changed here.

Show thread

So Avast Online Security for Firefox is now indeed only sending minimal data, essentially only full URL and extension version. This is regardless of the settings.

The Chrome extension is quite different. No consent screen here and no "share data with Jumpshot" setting.

Show thread

But internally that setting exists on Chrome as well, presumably it's synced to the application's "data sharing" setting. The default here is now sending a limited set of data. If application is installed and data sharing allowed there, it will send everything like before.

Show thread
Sign in to participate in the conversation
Infosec Exchange

A Mastodon instance for info/cyber security-minded people.