Issus regarding the security of Avast Secure Browser (bank mode)

[svnupa]

Since a few years I'm working with the Avast Antivirus Engine and the Secure Browser.
It's a very comfortable and secure way to work in the internet with extensives ways to configure (i like it  ).

Unfortunately it works with windows board equipments inside the bank mode.
It's like you lock your house, but you let open the backdoor of the building.

If you find a way to exchange one of these files (e.g. notepad.exe or calc.exe), it' is possible to break into the sandbox.
I tried it with metasploit and a reverse tcp connection on my local pc system (combined with Virtualbox).
The result was, that I had the possibility to log the keyboard input inside the sandbox.
This is really to simple. 

Why Avast don't create his own tools inside the bank mode?
Another idea is to transfer the ASB bank mode to a window instead a full screen mode.
All keyboard inputs could be encrypted (my home bank work on this way).
Anyone could use all the tools they need without limitation.

It's only a report, not more.
Perhaps somebody can say more to this (e.g. level or reason of development).

[Asyn]

-> https://www.avast.com/bug-bounty

[Luukjr]

Since a few years I'm working with the Avast Antivirus Engine and the Secure Browser.
It's a very comfortable and secure way to work in the internet with extensives ways to configure (i like it  ).

Unfortunately it works with windows board equipments inside the bank mode.
It's like you lock your house, but you let open the backdoor of the building.

If you find a way to exchange one of these files (e.g. notepad.exe or calc.exe), it' is possible to break into the sandbox.
I tried it with metasploit and a reverse tcp connection on my local pc system (combined with Virtualbox).
The result was, that I had the possibility to log the keyboard input inside the sandbox.
This is really to simple. 

Why Avast don't create his own tools inside the bank mode?
Another idea is to transfer the ASB bank mode to a window instead a full screen mode.
All keyboard inputs could be encrypted (my home bank work on this way).
Anyone could use all the tools they need without limitation.

It's only a report, not more.
Perhaps somebody can say more to this (e.g. level or reason of development).

Suppose you use the 2-Step Verification to log in to your bank, how likely is it that the secure browser bank modus can be abused? Just a question from an interested layman.

[bob3160]

Since a few years I'm working with the Avast Antivirus Engine and the Secure Browser.
It's a very comfortable and secure way to work in the internet with extensives ways to configure (i like it  ).

Unfortunately it works with windows board equipments inside the bank mode.
It's like you lock your house, but you let open the backdoor of the building.

If you find a way to exchange one of these files (e.g. notepad.exe or calc.exe), it' is possible to break into the sandbox.
I tried it with metasploit and a reverse tcp connection on my local pc system (combined with Virtualbox).
The result was, that I had the possibility to log the keyboard input inside the sandbox.
This is really to simple. 

Why Avast don't create his own tools inside the bank mode?
Another idea is to transfer the ASB bank mode to a window instead a full screen mode.
All keyboard inputs could be encrypted (my home bank work on this way).
Anyone could use all the tools they need without limitation.

It's only a report, not more.
Perhaps somebody can say more to this (e.g. level or reason of development).

Suppose you use the 2-Step Verification to log in to your bank, how likely is it that the secure browser bank modus can be abused? Just a question from an interested layman.

I don't follow your 2 step question? In bank mode, you would enter your user name and p/w then you would received your
numeric or alpha numeric code via your smart device and enter it into the appropriate place. How is that bypassing anything?

[svnupa]

Since a few years I'm working with the Avast Antivirus Engine and the Secure Browser.
It's a very comfortable and secure way to work in the internet with extensives ways to configure (i like it  ).

Unfortunately it works with windows board equipments inside the bank mode.
It's like you lock your house, but you let open the backdoor of the building.

If you find a way to exchange one of these files (e.g. notepad.exe or calc.exe), it' is possible to break into the sandbox.
I tried it with metasploit and a reverse tcp connection on my local pc system (combined with Virtualbox).
The result was, that I had the possibility to log the keyboard input inside the sandbox.
This is really to simple. 

Why Avast don't create his own tools inside the bank mode?
Another idea is to transfer the ASB bank mode to a window instead a full screen mode.
All keyboard inputs could be encrypted (my home bank work on this way).
Anyone could use all the tools they need without limitation.

It's only a report, not more.
Perhaps somebody can say more to this (e.g. level or reason of development).

Suppose you use the 2-Step Verification to log in to your bank, how likely is it that the secure browser bank modus can be abused? Just a question from an interested layman.

I don't follow your 2 step question? In bank mode, you would enter your user name and p/w then you would received your
numeric or alpha numeric code via your smart device and enter it into the appropriate place. How is that bypassing anything?

I share this opion. 2FA is so safe, how it can be.
The risk is higher for services which using no 2FA function.

Besides that, you have nothing to fear, if you don't use the tools inside the sandbox.
Then nothing can be bypasst (I don't know a way).

Also I'm really sure, that somebody at Avast has already thought about that problem.