[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-bugs] #2118 [Tor bundles/installation]: AVG Security Toolbar installs itself to Firefox.

#2118: AVG Security Toolbar installs itself to Firefox.
 Reporter:  cypherpunks               |       Owner:  erinn        
     Type:  defect                    |      Status:  new          
 Priority:  major                     |   Milestone:               
Component:  Tor bundles/installation  |     Version:  Tor:
 Keywords:                            |      Parent:               
 If the AVG Security Toolbar is installed to the local Firefox
 installation, it will attach itself to instances of Firefox Portable
 included in the Tor IM Browser Bundle 1.3.10 and previous.

 It's major because:

 1) AVG Anti-Virus Free updates itself without user intervention. If it was
 installed with the "AVG Security Toolbar" option checked, and Firefox was
 installed after AVG, the toolbar will not be in Firefox. However, when AVG
 auto-updates, it will install the toolbar as a Firefox add-on without the
 user anything.

 2) There is evidence that the toolbar communicates user nationality to
 power the search field. Correctly localized web pages and news articles
 are served back to the user even through Tor. The search engine knows the
 user's language and location settings as they appear to AVG.

 3) It automatically pastes searches done in the Firefox search bar into
 the AVG Security Toolbar search bar. I don't know to what degree that
 information is sent to their or search engine servers.

 4) The computer's administrator may have set the default search engine to
 Baidu, which is located in China.

 5) The user may be unable to change anti-virus settings.

 To easily replicate this issue, install AVG Anti-Virus Free (no charge) to
 a Windows machine with Firefox and select the option to display the AVG
 Security Toolbar. Or, install Firefox to a Windows machine with AVG Anti-
 Virus Free, download the latest AVG Anti-Virus Free, Launch it and select
 "Repair Installation." If AVG auto-updates, it will do this step for you
 without any prompts except to reboot when it's done! Then launch a Tor
 Browser instance and a functioning AVG toolbar will be there.

 To remedy the issue, an administrator can "Repair Installation" and
 uncheck the AVG toolbar option, or disable the add-on in Firefox.

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/2118>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
tor-bugs mailing list