A Huge Flaw in the Avast SafeZone Browser

Google Project Zero Security Researcher, Tavis Ormandy, has figured out a huge flaw in the Avast SafeBrowser thereby failing to offer a secure browsing experience to its users. This information comes right after the researcher figured out issues pertaining to the Chromodo browser. Chromodo was found disabling Same Origin Policy [SOP] which is a fundamental security feature. What Avast did is much worse. Avast’s Chromium fork lets the hacker get a tab on the list as well as the files from the computer whenever the user clicks on a link that is malicious.

Also referred to as the Avastium, the custom browser offered by Avast is offered in the form of a bundle download for all those who upgrade to or purchase a paid version of the 2016 Avast Antivirus. This is built exactly the same way as Chromodo on a Chromium platform which is an open source project on which Vivaldi, Opera and Google Chrome are based.

Ormandy explained that the security offering companies are offering a poor excuse of the browser letting in third parties to cause series of attacks on the device and are fooling users to click on a link which isn’t really complicated if hidden under any short URL. He further added that, attackers could easily send malicious commands to RPC endpoint which was left on a browser’s core engine open. The commands could easily be bundled within any malicious JavaScript code that was executed on the computer of the user locally. This would be possible only if the local host allowed the access in order to reach the RPC endpoints. Even if the SafeZone feature wasn’t properly running, the malicious links were clicked through another browser.

In such cases, the attacker wouldn’t even have to steal any information pertaining to the malware strain if they had an idea about where the target had installed the Avast SafeZone. The user doesn’t really have to be using Avastium to let the attackers steal the information. The profile gets automatically imported on start up from Chrome. Without any consent from the user, the preferences, cookies, passwords and bookmarks get added to SafeZone automatically.

In addition, one can send authenticated HTTP requests and also read the response received. This lets the attacker access emails, cookies and interrupt with the online banking feature being accessed by the user. If you have installed SafeZone in your PC then you are certainly doomed as the links that are malicious can be easily opened in the browsers anyhow. This situation can prove out to be tragic for many. The users who have paid money for securing their computers and laptops are practically being offered a backdoor to the attackers.

Avast was informed about this issue and the company came up with a quick fix in a couple of days to prevent the users being exploited. A complete fix was offered for the problem with the latest version of Avast Antivirus which was released on 3rd of February 2016.

Ormandy blamed the entire thing on Avast’s move to overwrite a feature of security within the Chromium setup. This permitted only the web safe URL’s to be opened and with the aid of instructions. With Chromium, the users can only access links from the command line if they began with https, data, java script or http. With the use of SafeZone, the hackers could easily launch links which started with “file://”. This is nothing but a naming scheme which is utilized for accessing local files placed on the disk.


  1. Tatonka October 21, 2016
  2. Joe Smith July 1, 2016
    • asdf February 18, 2017

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.