Browsing histories and other data is being exposed on the internet by a Google Chrome extension that AVG AntiVirus inevitably installs on user's systems.

Google Project Zero researcher Tavis Ormandy found that “This extension adds numerous JavaScript APIs to Chrome, apparently so that they can hijack search settings and the new tab page. The installation process is quite complicated so that they [AVG] can bypass the Chrome [Store] malware checks, which specifically tries to stop abuse of the [Chrome] Extension API.”

A vulnerability that was discovered is a “Trivial universal” XSS in the navigate API that can let websites execute scripts in any other territories. Therefore, a website can read emails from Google mail and simultaneously perform other actions due to the high-severity flaw. The API extension also exposes the browsing history of a user to the internet and can be used for Remote Code Execution.

Version of AVG Web Tune UP fixed the security issues. Google has blocked AVG's skill of carrying out inline installations of this extension. The Chrome Web Store team is reviewing AVG for the possibility of Web Store policy violations.