Security researcher YoKo Kho was recently awarded $5,000 for discovering an XSS (cross site scripting) vulnerability within Avast Anti-Virus for Windows desktop devices. Normally this would not be an issue for desktop applications, but Avast appears to be rendering HTML in at least some portions of their product. Avast has a prompt for when a user connects to a new wireless network that will display the SSID (name) of that network. Without proper sanitization, it’s possible to set a network name to a short snippet of HTML that Avast will then try to display as part of its own application. This could give an attacker the ability to do things like showing a popup on the victim’s machine or displaying a login form on the network connection prompt from Avast.
Written by: Nataliia Zdrok, Threat Intelligence Analyst at Binary Defense Russia’s invasion of Ukraine increased