Security vulnerabilities were found in the Avast Antitrack tool. Man-in-the-middle (MiTM) attacks could have been possible due to a vulnerability in the certificate validation feature.
Researcher David Eade said in his blog post:
‚Avast Antitrack does not check validity of end web server certificates. A remote attacker running a malicious proxy could capture their victim’s HTTPS traffic and record credentials for later re-use. If a site needs two factor authentication (such as a one-time password), then the attacker can still hijack a live session by cloning session cookies after the victim logs in.‘
Avast released a statement saying that the issues have been fixed through an update pushed to all AntiTrack users.