Published: 09/03/2020 Updated: 10/03/2020

CVSS v2 Base Score: 5.8 | Impact Score: 4.9 | Exploitability Score: 8.6

CVSS v3 Base Score: 7.4 | Impact Score: 5.2 | Exploitability Score: 2.2

VMScore: 516

Vector: AV:N/AC:M/Au:N/C:P/I:P/A:N

Avast AntiTrack prior to 1.5.1.172 and AVG Antitrack prior to 2.0.0.178 proxies traffic to HTTPS sites but does not validate certificates, and thus a man-in-the-middle can host a malicious website using a self-signed certificate. No special action necessary by the victim using AntiTrack with "Allow filtering of HTTPS traffic for tracking detection" enabled. (This is the default configuration.)

Vulnerable Product	Search on Vulmon	Subscribe to Product
avast antitrack
avast avg antitrack

Avast's AntiTrack promised to protect your privacy. Instead, it opened you to miscreant-in-the-middle snooping

The Register • Shaun Nichols in San Francisco • 10 Mar 2020

HTTPS traffic could be intercepted, manipulated, thanks to sloppy proxy Avast lobs intruders into the 'Abiss': Miscreants tried to tamper with CCleaner after sneaking into network via VPN

You'd think HTTPS certificate checking would be a cinch for a computer security toolkit – but no so for Avast's AntiTrack privacy tool. Web researcher David Eade found and reported CVE-2020-8987 to Avast: this is a trio of blunders that, when combined, can be exploited by a snooper to silently intercept and tamper with an AntiTrack user's connections to even the most heavily secured websites. This is because when using AntiTrack, your web connections are routed through the proxy software so th...

CVE-2020-8987

Vulnerability Summary

Vulnerability Trend

Recent Articles

References

Vulmon Search

About

Products

Connect