Chromodo is the name of a free browser offered by the Comodo Antivirus firm, it is a customized version of Google’s Chrome browser developed to improve users’ security and privacy. Unfortunately this is not true, the Chromodo browser which is based on the Chromium open-source code is in fact affected by a serious security issue.
” The policy permits scripts running on pages originating from the same site – a combination of scheme, hostname, and port number – to access each other’s DOM with no specific restrictions, but prevents access to DOM on different sites.” reads Wikipedia.
Not implementing the Same Origin Policy, a code that runs on one website should be allowed to execute on another website with serious repercussions on the security perspective.
If you are using Chromodo, you must be aware that the browser has the same origin policy disabled.
“When you install Comodo Internet Security, by default a new browser called Chromodo is installed and set as the default browser. Chromodo is described as “highest levels of speed, security and privacy”, but actually disables all web security.” Ormandy wrote in a security advisory.
“Let me repeat that, they ***disable the same origin policy***…. ?!?.. To reproduce, do something like this:
With Same Origin Policy disabled an attacker can use a malicious script to perform a number of activities including taking over social media accounts and act on behalf of the victim.
— Tavis Ormandy (@taviso) 2 Febbraio 2016
Ormandy reported the issue Jan. 21 and, on Tuesday he revealed that Comodo tried to patch the issue in the Chromodo browser, in particular against an exploit he developed, but the fix doesn’t work.
Let’s wait for a definitive fix from the company.
(Security Affairs –Chromodo, Same Origin Policy,)