Avast WEBforum

Consumer Products => Avast Account (my.avast.com) => Topic started by: REDACTED on September 14, 2014, 02:48:27 AM

Title: Security Fail
Post by: REDACTED on September 14, 2014, 02:48:27 AM

Have run into several security flaws.

1. Users are allowed to delete devices from the account (Causing data loss) WITHOUT ENTERING A PASSWORD FIRST.
2. I am not able to remotely log off all devices from the account. (Sometimes a user may forget to log out, and I cannot force them to log off)
3. Users are able to Wipe my device (without my permission, if left alone for a few minutes or if the account gets hacked.)

Today, my friend was accessing my account, while I was showing off AVAST ANTI-THEFT and misread something, thinking it was his, and immediately without a thought, deleted my device from the account, deleting all of my backed up files (at least from the Avast side) and I had to re-setup the device.
Right away, I said something to him, he apologized a thousand times, but this accident could have been prevented, had Avast required him to enter a password or at least a very short 4-7 digit pin first!

Title: Re: Security Fail
Post by: OndraM on September 15, 2014, 12:45:15 PM

Hi,

thanks for the suggestions. We will discuss it with our product management, but I see why we should not add this confirmation password.

Previously we have allowed only one concurrent user session, but removed it later due to complains. "Deauthorize" button for all other sessions in settings is definitely a possibility.

Anyway always remember to logout from any of your accounts (avast or other). 

Title: Re: Security Fail
Post by: Lisandro on September 15, 2014, 01:22:47 PM

Why not a timed session that expires? Will mitigate the issue.