Opened 9 years ago

Closed 9 years ago

#2118 closed defect (fixed)

AVG Security Toolbar installs itself to Firefox.

Reported by: cypherpunks Owned by: erinn
Priority: High Milestone:
Component: Applications/Tor bundles/installation Version: Tor: 0.2.1.26
Severity: Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

If the AVG Security Toolbar is installed to the local Firefox installation, it will attach itself to instances of Firefox Portable included in the Tor IM Browser Bundle 1.3.10 and previous.

It's major because:

1) AVG Anti-Virus Free updates itself without user intervention. If it was installed with the "AVG Security Toolbar" option checked, and Firefox was installed after AVG, the toolbar will not be in Firefox. However, when AVG auto-updates, it will install the toolbar as a Firefox add-on without the user anything.

2) There is evidence that the toolbar communicates user nationality to power the search field. Correctly localized web pages and news articles are served back to the user even through Tor. The search engine knows the user's language and location settings as they appear to AVG.

3) It automatically pastes searches done in the Firefox search bar into the AVG Security Toolbar search bar. I don't know to what degree that information is sent to their or search engine servers.

4) The computer's administrator may have set the default search engine to Baidu, which is located in China.

5) The user may be unable to change anti-virus settings.

To easily replicate this issue, install AVG Anti-Virus Free (no charge) to a Windows machine with Firefox and select the option to display the AVG Security Toolbar. Or, install Firefox to a Windows machine with AVG Anti-Virus Free, download the latest AVG Anti-Virus Free, Launch it and select "Repair Installation." If AVG auto-updates, it will do this step for you without any prompts except to reboot when it's done! Then launch a Tor Browser instance and a functioning AVG toolbar will be there.

To remedy the issue, an administrator can "Repair Installation" and uncheck the AVG toolbar option, or disable the add-on in Firefox.

Child Tickets

Attachments (1)

AVG.PNG (21.4 KB) - added by cypherpunks 9 years ago.
Screenshot of AVG Security Toolbar in add-on list

Download all attachments as: .zip

Change History (9)

Changed 9 years ago by cypherpunks

Attachment: AVG.PNG added

Screenshot of AVG Security Toolbar in add-on list

comment:1 Changed 9 years ago by erinn

Status: newaccepted

Yikes. This is a terrible bug. Thank you for finding and reporting it!

I think this is a problem with Firefox checking lots of system paths to see where the extensions are, because there are numerous places to put them. I'll see if this can be limited on Windows in any way, by forcing an extension path.

comment:2 Changed 9 years ago by erinn

There is a pref for extensions.enabledScopes which we can set in the prefs.js that might fix this. According to the Mozilla developers, if we set it to 5 it should sufficiently limit the scope and stop picking up system. See:

http://mxr.mozilla.org/mozilla-central/ident?i=PREF_EM_ENABLED_SCOPES
http://mxr.mozilla.org/mozilla-central/source/toolkit/mozapps/extensions/AddonManager.jsm#1013

comment:3 in reply to:  2 Changed 9 years ago by cypherpunks

Replying to erinn:

There is a pref for extensions.enabledScopes which we can set in the prefs.js that might fix this. According to the Mozilla developers, if we set it to 5 it should sufficiently limit the scope and stop picking up system. See:

http://mxr.mozilla.org/mozilla-central/ident?i=PREF_EM_ENABLED_SCOPES
http://mxr.mozilla.org/mozilla-central/source/toolkit/mozapps/extensions/AddonManager.jsm#1013

Adding the line -- user_pref("extensions.enabledScopes", 5); -- to the default prefs.js file in a freshly downloaded Tor IM Browser Bundle 1.3.12 did NOT prevent the AVG Security Toolbar from attaching to Firefox Portable. I checked and the prefs.js file that FF creates on first run was successfully created with that line. Erinn suggested other values for extensions.enabledScopes, as well as exploring methods of controlling extension loading.

comment:4 Changed 9 years ago by erinn

After a bit of research, it seems that the enabledScopes pref only works in Firefox 4. I'm looking into other possible solutions for 3.6.x, such as disabling the Windows registry extension check.

comment:5 Changed 9 years ago by arma

<piebeer> http://portableapps.com/node/16922
<piebeer> chmod 600 extensions.ini, and you winner.
<piebeer> it's fail. no win.
<piebeer> because https://developer.mozilla.org/en/Adding_Extensions_using_the_Windows_Registry

<piebeer> nsExtensionManager.js: this._readAddons(key); comment'em all out
<piebeer> no more registryghosted extensions with such mod.
<piebeer> hah nothing new. http://portableapps.com/node/2838

comment:6 Changed 9 years ago by erinn

I've implemented the fix for this in the latest version of the Windows Tor Browser Bundle (1.3.13). Please test it and let me know if it works for you:
https://www.torproject.org/dist/torbrowser/tor-browser-1.3.13_en-US.exe

comment:7 Changed 9 years ago by erinn

Status: acceptedneeds_review

comment:8 Changed 9 years ago by erinn

Resolution: fixed
Status: needs_reviewclosed

I haven't heard back, but it is fixed when I test it. Closing.

Note: See TracTickets for help on using tickets.