Quick Links

We warned you at the beginning of the year that many of your browser extensions are spying on you, tracking what you are visiting, and even inserting ads into pages. These aren't just no-name developers either: even Avast, one of the most trusted antivirus vendors was in on the game.

Update 2: We just want to point out that this happened in the past, and Avast has cleaned up their act. They have a decent product, and while you can read this for historical purposes, you should know that many of the other antivirus vendors are doing worse things.

Update: Avast has posted a response to our article on their forum. We stand by our article and our research with the exception of one very inconsequential technical detail that we have updated below. The purpose of writing these types of articles isn't to be vindictive -- we just honestly want to make the world a better place for PC users.

Before we go even one step further, it's important to note that they recently disabled the spying "shopping" feature in their browser extension. So if you are running the latest Chrome with extensions updated, you are fine. For now.

So Avast has stopped integrating the spying extension, but this is about the principle: you should be able to trust your antivirus provider. Why are they adding a feature that spies on your browsing, inserts ads... and all without properly notifying you?

And why, at the same time, are they claiming to stop spyware, even uninstalling other shopping extensions from other vendors, while they were doing the same thing they are supposed to stop?

avast_removes_addons

On our test system, the only spyware and crapware that Avast actually detected and removed were the ones that competed with their own shopping extension.

Avast Online Security Extension Added a "Shopping" Component

avast_extension_9_0_safeprice_addition

About a week ago, we were playing around with installing a lot of nonsense from crapware sites, so we loaded up trusty Avast antivirus to see how much of the malware it would actually catch during the process. We were shocked to find out that some of the adware wasn't from a third-party, but from Avast itself.

The problem lies in the SafePrice component of their Online Security extension, which adds shopping recommendations (ads) as you are browsing around the web.

Here's the thing: many people actually want shopping extensions that help them find better prices -- in fact, one of the HTG staff writers recently asked me what was the best way to find better prices. As a standalone product, if you  specifically and deliberately choose to install something like this, there's nothing wrong with it.

The problem is that Avast snuck this component in to their browser extensions that have at least 10 million users for the Chrome version alone. And then they enabled it by default.

Note: as we were doing research for this article, they updated their extension to not include the shopping feature, but it was there since maybe around last December.

Spying, You Say?

You might remember earlier how we said that this extension is spying on you and, unlike many websites, we're definitely not going to make some claim like that without proof of what is really going on. So we loaded up Fiddler to see what's really going on behind the scenes and under the hood and behind the curtain.

As it turns out, every single URL that you visit was being sent to Avast servers -- first there would be a check to /urlinfo on one of their servers, passing in a unique ID that represents you on every single request. In this way they can build a list of every single page you have ever visited. They claim on their web site that they remove all personally identifying information, but how, exactly, are they able to do that when they are tracking every single page you visit and sending back that URL with a unique ID to represent you?

Update: Avast contacted us to point out that the /urlinfo page that we showed in the screenshot is actually part of their security extension, which does make sense. The /offers page, however, is sending back data as well.

Fiddler Avast

That unique tracking ID is the biggest problem here: while it might not identify you by name, it's enough to tie your whole browsing history together, and that's a scary thing.

And remember, you didn't ask for this. You just wanted to keep yourself safe online with a trusted antivirus provider.

The Bottom Line: Browser Extensions Have Wayyyy Too Much Power

Related: Warning: Your Browser Extensions Are Spying On You

This behavior, while ridiculous and sad from a company you should trust, isn't new at all. Almost every product and service on the Internet and almost every browser extension, app, and website, are doing some form of tracking. Here on How-To Geek we use Google Analytics to see our site statistics, and our advertisers probably use a lot of other tracking that we can't control. And it's the same with every single web site.

Personal information and big data have become the standard; because after all: if a product is free, the real product is you. If you are browsing and reading a completely free web site, it's not that big of a deal... after all, sites like ours need to pay our writers, and advertisements are the only way to do that. The problem is when it's across everything you do.

The problem is that most browser extensions have access to everything you are seeing on the Internet, across every web site. And they aren't properly disclosing this to you.

So the next time an extension says it can "Read and modify all your data on the websites you visit", perhaps you should click that "Remove from Chrome" button instead.