Latest Threat Research: LetMeowIn – Analysis of a Credential Dumper

Get Informed


Avast and AVG Anti-Virus Browser Extensions Removed From Mozilla and Opera Stores

Wladimir Palant, creator of the popular “Adblock Plus” browser extension, is warning against the use of Avast and AVG browsers and browser extensions after extensive research into the data collected by each of them. Wladimir first wrote on the extensions in October, going into great detail about the information being collected and sent back to Avast’s servers. Because Avast bought competitor AVG a few years ago, a nearly identical browser and browser extension were released under the AVG brand as well. After publishing his findings, both Mozilla and Opera have removed the extensions from their respective extension stores until further notice. See the table below for all the information being collected. Avast Online Security and AVG Online Security remain in Google’s Chrome Extension store at this time.

Field Contents
uri The full address of the page you are on.
title Page title if available.
referer Address of the page that you got here from, if any.
windowNum Identifier of the window and tab that the page loaded into.
initiating_user_action How exactly you got to the page, e.g. by entering the address directly, using a bookmark or clicking a link.
visited Whether you visited this page before.
locale Your country code, which seems to be guessed from the browser locale. This will be “US” for US English.
userid A unique user identifier generated by the extension (the one visible twice in the screenshot above, starting with “d916”). For some reason this one wasn’t set for me when Avast Antivirus was installed.
plugin_guid Seems to be another unique user identifier, the one starting with “ceda” in the screenshot above. Also not set for me when Avast Antivirus was installed.
browserType Type (e.g. Chrome or Firefox) and version number of your browser.
os Your operating system and exact version number (the latter only known to the extension if Avast Antivirus is installed).

Wladimir mentions in a second post being given the suggestion to look at a Jumpshot, a company purchased by Avast in 2013. Jumpshot sells collected tracking analytics and praises its data feeds. “Incredibly detailed clickstream data from 100 million global online shoppers and 20 million global app users. Analyze it however you want: track what users searched for, how they interacted with a particular brand or product, and what they bought. Look into any category, country, or domain.”


Analyst Notes

Always exercise caution when installing browser extensions and applications. The safest approach is to only install the minimum extensions necessary, and only install official versions of extensions from reputable publishers. Unfortunately, in this case, the official extensions were the offenders. In these cases, it may also help to read the privacy policies to know exactly what data is being collected and how it is used before making the decision to use an extension. Because so many critical business services with access to sensitive data are accessed through web browsers, it is important to limit the access of 3rd party companies to that data. Browser extensions can give companies access to a significant amount of information and should be strictly controlled by corporate policy.