Google calls out Comodo's Chromodo Chrome-knockoff as insecure crapware

[Batu69]

Installed it for free? Costs the same to uninstall it

Google security boffins have thrown the book at Comodo for turning off Chrome security.

As explained in this advisory today, users who install Comodo Internet Security may not realize that their Chrome installation is replaced with Comodo's own browser, Chromodo.

 

That little bit of crapware isn't secure at all: it's set as the default browser, and "all shortcuts are replaced with Chromodo links and all settings, cookies, etc are imported from Chrome. They also hijack DNS settings, among other shady practices," Google's Tavis Ormandy notes.

 

Chromodo is promoted as a "private browser" on Comodo's website, but it's not only not private, it's not remotely safe to use, because it also disables Chrome's same-origin policy.

 

The same-origin policy enforces a rule that one script can only access data in another script if they're both from the same site. Without it, users are exposed to malicious sites sniffing private data.

 

Google went public with the feature bug because Comodo was unresponsive, we're told.

It's not the first time Comodo's been called out for crapware. In 2015, its PrivDog browser was slapped down by the US Department of Homeland Security for man-in-the-middling users' SSL sessions.

 

Given that Comodo is also a certificate authority, bypassing end user security is a serious breach of trust. If you've got Comodo's browser installed on your machine, get rid of it.

 

Article source

[Petrovic]

Comodo's Internet web browser Chromodo, based on Chromium, has significant security issues according to a Google Security Research report that puts its users at risk while using it.

 

When Google launched its Chrome web browser years ago, several third-party companies created their own version of the browser by modifying specific settings of it that would improve user privacy.

 

Comodo was one of those companies that released a custom rebranded version of the Chrome browser launching it as Comodo Dragon.

 

The browser is optimized for speed, privacy and security according to Comodo. Last year, Comodo released another Chromium-based browser which it named Chromodo.

The core difference between the two browsers seems to be design related only, but it is difficult to tell since Comodo does not reveal detailed information about the differences between the two browsers on its site.

 

 

A recent Google report indicates that Comodo's Chromodo browser is less secure than it claims to be. The web browser is available as a standalone download but it also included in the company's Internet Security suite offering.

 

According to Google's analysis of the browser, it is disabling the same origin policy, hijacking DNS settings, replacing shortcuts with Chromodo links, and more.

Quote

FYI, I still haven't got a response. The same origin policy is basically disabled for all of your customers, which means there is no security on the web....this is about as bad as it gets. If the impact isn't clear to you, please let me know.

 

Same Origin is an important security policy which restricts how documents or scripts loaded from one origin can interact with resources from other origins.

 

Pages have the same origin if they share the protocol, port and host. So, http://www.example.com/ and http://www.example.com/dir1/ share the same origin as protocol (http), port (default) and host (www.example.com) are identical while https://www.example.com/ and http://www.example.com/ don't share the same origin as the protocol (https vs http) is not identical.

 

Comodo's Chromodo browser does not take same origin into account which means that scripts or resources from third-party sites can interact with a resource or script as if it would be from the same origin.

 

This could result in the stealing of browser cookies among other things if the issue is exploited.

 

Google released a proof of concept exploit, less than 10 lines of JavaScript code, that lists the data of a stolen cookie in a JavaScript popup in the browser.

Article source

[Batu69]

Thread has been merged.