According to a report posted on The Hacker News today, you should reconsider any trust you have put into Avast and AVG antivirus security programs. The list includes Avast Online Security, AVG Online Security, Avast SafePrice, and AVG SafePrice.

A lot of people know that both Avast and AVG are two of the better free antivirus versions being offered to users. But what they might not know is that Avast now also owns AVG. It wasn’t always that way; AVG did start out as an independent company but were bought out by Avast for over a billion dollars back in 2016. So as you can see, even with the free versions that they do offer, it still resulted in many people choosing to buy the paid versions of the programs.

If you do have any of the four AVG or Avast programs listed above installed on your computer, it is advised to remove them if you care at all about privacy and run Google Chrome or Firefox. The Hacker News reported that those programs are doing a lot more spying on their users than has been disclosed. Some or all of those programs will even go so far as to check your web browsing history, though this only happens from Google Chrome and Mozilla Firefox web browsers.

Not everyone cares about privacy. Elon Musk famously stated that no one really cares about what porn you watch. But privacy can extend further than just the fact that someone else knows what you have been doing. For example, it is possible for a company to then sell that data, and then who knows what might happen next.

It’s always a very bad look when trusted companies spy on users, and more than they have disclosed. You are dealing with a billion-dollar enterprise that may only be using that data to help improve its products, or it may be using it for something entirely different that we don’t yet know anything about.

Google Chrome and Firefox both opted to remove the extensions in question, which suggests that the reports are definitely true.
Wladimir Palant is the guy who found out about the extension’s malicious behavior about a month ago. He went on to list the different data types those extensions were collecting. They are as follows:

  • Full URL of the page you are on, including query part and anchor data
  • A unique user identifier (UID) generated by the extension for tracking
  • Page title
  • Referrer URL
  • How you landed on a page, e.g., by entering the address directly, using a bookmark or clicking a link
  • A value that tells whether you visited a page before
  • Your country code
  • Browser name and its exact version number
  • Your operating system and its exact version number

In fairness to Avast and AVG, a lot of similar type of data is collected by the websites that you visit. We, for example, can sometimes see your computer dimensions, the browser you use, the country and even the city you’re in, and other basic information that helps us be better webmasters. But we certainly don’t know any specific details such as your exact location or browsing history — the latter definitely stepping over the line if Avast has done so.

It appears as though that claim is most likely related to the first dot point above: “Full URL of the page you are on, including query part and anchor data.” Some of you may understand how certain types of security may need that information, or others may not. Again, we shouldn’t necessarily defend Avast at this point, because both browsers did choose to remove the extensions from the browser, which suggests both Google and Firefox officials agree that the mentioned Avast and AVG extensions did indeed cross a line and spy on their users.

Source: Avast and AVG Browser Extensions Spying On Chrome and Firefox Users