I know that everybody is tired of me talking about but this time it's a beefy RCE vulnerability. Avast Secure Browser could be trivially taken over by any website, allowing even execution of arbitrary OS commands.


That's the actual research I was conducting when I hit their privacy issues. It's a bit weird that I kept talking about their data collection practices while the initial security research had to stay secret until the deadline.

Big thanks to @yarlob@twitter.com for the important hint here!

Show thread

notified me that they resolved CVE-2019-18894 yesterday. I can confirm the issue being resolved even though the displayed application release date doesn't change. That's good news, I really don't enjoy dropping 0-days...

· · Web · 0 · 0 · 2
Sign in to participate in the conversation
Infosec Exchange

A Mastodon instance for info/cyber security-minded people.