On Google Project Zero Tevis Ormandy officer last week (Tavis Ormandy) has harshly criticized the secure browser Chromodo, which the company Comodo delivers along with its anti-virus products. Now came the turn of Avast SafeZone browser, also known as Avastium.
It seems that Ormandy decided to seriously go through the browser security. As the results of his research: not in vain. Own a fork of the Chromium, created by the company of Avast, was even worse than Chromodo, disables the Same Origin Policy.
Avastium proposed fee Avast Antivirus 2016 antivirus, but it is unlikely to offer them additional protection. The expert found that the attacker can successfully retrieve the browser history, passwords and other confidential information that the app stores.
To continue the attack the attacker does not even need additional Malvar: Avast browser stores all the data in clear text, so the main thing – to know that the victim is set Avastium.
“Although the attack was made on Avastium, the victim is not obliged to use it, either at the time of the attack, or in general. The fact that your profile is automatically imported from the Chrome, even when installing Avastium », – writes Ormandy.
The researcher adds that the SafeZone «borrow» Chrome information about bookmarks, settings, cookies and passwords automatically, without notifying the user.
The expert explains that, in fact, an attacker is able to access the file system of the victim, if she simply clicks on a malicious link. It does not even need to know the exact location of specific files, because with this attack can also be obtained, and directory listing.
Plus, an attacker can send a victim of arbitrary authorized HTTP-request, which will allow him to get to the victim’s cookies, its address, will allow to interact with online banking and so on.
A good proof of Leaky Avastium Ormandy created proof-of-concept page , where you can check the browser vulnerability.
Avast Experts have released Avast 2016 2016.11.1.2253 the build , fix problems found by the expert.
Ormandy endeavors inspired another researcher, also decided to check the security of the browser. He started with a browser, built-in Steam’s official client. This is another fork of the Chromium, which is found to have problems no less than that of its “protected” colleagues in the market.
GitHub user under the nickname ekaris writes that the Steam client uses an old version of Chromium: while the latest release – v50, Steam uses v47. Although you may notice that the message was published on the page «Steam Client for Linux», a similar problem occurs in clients for Windows and Mac. It is not difficult to guess, it is an old version of unpatched vulnerabilities.
In addition, ekaris found that the browser works with Steam disabled sandbox. By default, this user protection measure Chromium is activated, but Valve developers for some reason it turned off.
Although ekaris already announced Valve issues a patch yet, so Steam users are encouraged to use the built-in client web browser with redoubled caution.