Skip to main content

Chromodo Browser has serious security issues

Comodo's Internet web browser Chromodo, based on Chromium, has significant security issues according to a Google Security Research report that puts its users at risk while using it.

When Google launched its Chrome web browser years ago, several third-party companies created their own version of the browser by modifying specific settings of it that would improve user privacy.

Comodo was one of those companies that released a custom rebranded version of the Chrome browser launching it as Comodo Dragon.

The browser is optimized for speed, privacy and security according to Comodo. Last year, Comodo released another Chromium-based browser which it named Chromodo.

The core difference between the two browsers seems to be design related only, but it is difficult to tell since Comodo does not reveal detailed information about the differences between the two browsers on its site.

chromodo security issue

A recent Google report indicates that Comodo's Chromodo browser is less secure than it claims to be. The web browser is available as a standalone download but it also included in the company's Internet Security suite offering.

According to Google's analysis of the browser, it is disabling the same origin policy, hijacking DNS settings, replacing shortcuts with Chromodo links, and more.

FYI, I still haven't got a response. The same origin policy is basically disabled for all of your customers, which means there is no security on the web....this is about as bad as it gets. If the impact isn't clear to you, please let me know.

Same Origin is an important security policy which restricts how documents or scripts loaded from one origin can interact with resources from other origins.

Pages have the same origin if they share the protocol, port and host. So, http://www.example.com/ and http://www.example.com/dir1/ share the same origin as protocol (http), port (default) and host (www.example.com) are identical while https://www.example.com/ and http://www.example.com/ don't share the same origin as the protocol (https vs http) is not identical.

Comodo's Chromodo browser does not take same origin into account which means that scripts or resources from third-party sites can interact with a resource or script as if it would be from the same origin.

This could result in the stealing of browser cookies among other things if the issue is exploited.

Google released a proof of concept exploit, less than 10 lines of JavaScript code, that lists the data of a stolen cookie in a JavaScript popup in the browser.

Closing Words

It is quite frightening that security companies such as Comodo, AVG or TrendMicro have created products in the past that put users at risk despite claims by these companies that their products improve user privacy and security while on the Internet.

The companies in question fixed the detected issues or are in the process of fixing them, but the underlying implication is more severe than the detected security issue considering that this should not happen to security companies in first place.

 

This article was first seen on ComTek's "TekBits" Technology News

HOME