Avast AntiTrack before 1.5.1.172 and AVG Antitrack before 2.0.0.178 proxies traffic to HTTPS sites but does not validate certificates, and thus a man-in-the-middle can host a malicious website using a self-signed certificate. No special action necessary by the victim using AntiTrack with "Allow filtering of HTTPS traffic for tracking detection" enabled. (This is the default configuration.)
References
Link | Resource |
---|---|
https://www.avast.com/hacker-hall-of-fame/en/researcher-david-eade-reports-antitrack-bug-to-avast | Vendor Advisory |
https://www.davideade.com/2020/03/avast-antitrack.html | Third Party Advisory |
Configurations
Configuration 1 (hide)
|
History
No history.
Information
Published : 2020-03-09 17:15
Updated : 2024-02-28 17:28
NVD link : CVE-2020-8987
Mitre link : CVE-2020-8987
CVE.ORG link : CVE-2020-8987
JSON object : View
Products Affected
avast
- antitrack
- avg_antitrack
CWE
CWE-295
Improper Certificate Validation