Serious security vulnerabilities have been discovered in Avast Antitrack and AVG Antitrack tools. Exploiting the flaws could expose users to MiTM attacks while degrading the security of browsers.

Avast AntiTrack Certificate Vulnerability


Researcher David Eade reportedly found numerous security vulnerabilities in the Avast Antitrack tool. One of them is a vulnerability in the certificate validation function that could have allowed Man-in-the-Middle (MiTM) attacks. In elaborating his findings in a publication, the researcher stated:

Avast Antitrack does not verify the validity of certificates submitted by the final web server. This makes it easier for a man in the middle to serve a fake site with a self-signed certificate.

An attacker can not only intercept the victim's traffic but can also hijack live sessions by cloning cookies, thus avoiding two-factor authentication. Exploiting this error did not require user interaction, making it entirely possible for a remote attacker.

The researcher also noted two other problems with the same tool.Initially, it reduced the Browser Security Protocol to TLS 1.0. So the cipher suites chosen by the tool did not support Forward Secrecy.

Patches Rolled Out

The researcher found such problems in the Avast Antitrack tool. However, since it also shares codes with AVG Antitrack, the same vulnerabilities also applied to the latter.
Specifically, the bugs affected all versions of Avast Antitrack prior to 1.5.1.172 and AVG Antitrack versions lower than 2.0.0.178.

Upon discovering the flaws in August 2019, the investigator contacted Avast to report the matter. After continuous communication in the following months, vendors eventually corrected the defects. At first they released Avast Antitrack 1.5.1.172, and then AVG Antitrack 2.0.0.178 which contained the patches.

Avast has confirmed the existence and subsequent patching of the vulnerabilities while acknowledging the researcher in a separate notice. As it was told,

Thanks to David for reporting these issues to us, the issues have been fixed by an update that was sent to all AntiTrack users.