AVG is one of the most popular free anti-virus solutions but the firm messed up badly with AVG SafeSearch, a Chrome toolbar that's installed without user consent. The fact that the toolbar will capture consumer data to sell it to advertisers is annoying enough, but Google was quite furious upon finding out that the extension is so broken that it poses a big security risk for Chrome users.
Google Security researcher Tavis Orlandy filed a bug report on December 15 and send the following e-mail to AVG:
“I’m really not thrilled about this trash being installed for Chrome users. The extension is so badly broken that I’m not sure whether I should be reporting it to you as a vulnerability, or asking the extension abuse team to investigate if it’s a PuP [potentially unwanted program].
Nevertheless, my concern is that your security software is disabling web security for 9 million Chrome users, apparently so that you can hijack search settings and the new tab page.
There are multiple obvious attacks possible, for example, here is a trivial universal xss in the ‘navigate’ API that can allow any website to execute script in the context of any other domain.” (The relevant code samples can be viewed at the initial bug report.)
AVG released a broken patch on December 19, which got rejected by Google. At the moment, Google is evaluating a revised patch, and reviewing the extension to determine if AVG will be allowed to offer it at all. It's a quite sad incident, especially because AVG's free anti-virus solution is one of the best in the world.