Tomcat
Professional
- Messages
- 2,695
- Reaction score
- 1,072
- Points
- 113
Konstantin Nikolenko (@Veliant), an employee of Doctor Web, spoke at the Habr site about the dubious functions of a free antivirus product from Avira (Avira Free Antivirus). According to the researcher, one of the components of the free version collects user credentials.
First of all, Nikolenko draws our attention to a component named "Avira.PWM.NativeMessaging.exe", compiled for the .NET platform and at the same time not obfuscated by anything.
After examining part of the program, the specialist noted the function of reading using "Read", checking the format and sending the command to another function - "ProcessMessage". The latter checks the received command for compliance with "fetchChromePasswords" and "fetchCredentials".
After that, as Nikolenko explains, “the most interesting thing begins”: the function “RetrieveBrowserCredentials” is called, which in itself already arouses suspicion, if only because of its name - “retrieve credentials from the browser”.
In fact, it turned out that "RetrieveBrowserCredentials" collects all user credentials stored in Chrome, Opera, Firefox and Edge browsers. The data is then returned as a JSON object.
Nikolenko claims that he sent all the necessary information to Avira representatives on April 7, 2020. So far, it has not been possible to get comments from the antivirus vendor regarding the problem, which, by the way, received its own identifier - CVE-2020-12680.
