Threat Watch

Cross-Site Scripting (XSS) Vulnerability Discovered in Avast Anti-Virus for Windows

Security researcher YoKo Kho was recently awarded $5,000 for discovering an XSS (cross site scripting) vulnerability within Avast Anti-Virus for Windows desktop devices. Normally this would not be an issue for desktop applications, but Avast appears to be rendering HTML in at least some portions of their product. Avast has a prompt for when a user connects to a new wireless network that will display the SSID (name) of that network. Without proper sanitization, it’s possible to set a network name to a short snippet of HTML that Avast will then try to display as part of its own application. This could give an attacker the ability to do things like showing a popup on the victim’s machine or displaying a login form on the network connection prompt from Avast.

ANALYST NOTES

: It’s never a good idea to connect to an unfamiliar network. On top of this particular vulnerability from Avast caused by seeing HTML in the network name, end-users should not expect any form of privacy or security from connecting to unknown, open networks. Whenever possible, all software (especially anti-virus products!) should be kept up-to-date in hopes of fixing any issues like this one that may exist.

Source: https://medium.com/bugbountywriteup/5-000-usd-xss-issue-at-avast-desktop-antivirus-for-windows-yes-desktop-1e99375f0968

Subscribe to Threat Watch

Daily summaries of threats, delivered straight to your inbox!


Click Here to Subscribe to Threat Watch
Facebook Twitter Instagram Youtube Linkedin
Solutions
Become a Reseller

Industries

Resources

About

Contact Us
Contact Support