Loading
Loading ...
Back to hall of fame
September 23, 2020

RESEARCHER WLADIMIR PALANT SUPPORTS AVAST'S EFFORTS TO PROTECT ITS USERS, BY SUBMITTING VULNERABILITY REPORTS

The heros behind bug submissions often remain anonymous which is something we would like to change for 2020. We want to raise awareness around the importance of bug and vulnerability reports, and encourage researchers to use our responsible disclosure process to report findings. Therefore, we have today introduced our new “Bounty Hunter Credits”

The heros behind bug submissions often remain anonymous which is something we would like to change for 2020. We want to raise awareness around the importance of bug and vulnerability reports, and encourage researchers to use our responsible disclosure process to report findings. Therefore, we have today introduced our new “Hacker Hall of Fame” page where, from now on, we will publicly acknowledge researchers that report critical bugs to us and share our appreciation for them helping us keep our solutions as secure as possible.

The first researcher we would like to extend a big thanks to is Wladimir, who reported vulnerabilities to Avast in October 2019 via our bug bounty program. Thanks to Wladimir’s submissions, Avast patched the following vulnerabilities and weaknesses:

  • A remote code execution bug affecting the Avast and AVG Secure Browsers that allowed arbitrary sites to execute code using the Video Downloader extension included in the browsers
  • A vulnerability in the Avast Online Security browser extension that could have been used to execute arbitrary applications with user privileges, by connecting to the same port the extension uses to communicate with the Avast Antivirus
  • Weaknesses in the Avast Passwords application that could have allowed a website to obtain credentials used for another website domain by misusing the extension’s sidebar functionality via clickjacking, and could also lock the user out of Avast Passwords. As a result we also fixed how Avast Passwords can enter credit card information into forms, which could have been abused using double clickjacking, and addressed the weakness found in how the Avast Passwords extension prompts users to save credentials which meant when a user entered a password manually into a website and then visited a third party website, the third party website could potentially take action to access the credentials.

We want to say thanks again to Wladimir for taking the time and effort to discover and report these flaws to us, helping us improve our products and keep our users secure.

If you have discovered a vulnerability in an Avast product or solution, check out our bug bounty page to learn how you can submit your discovery!  

Orb