Comodo Chromodo Secure Internet Browser exposes you at risks

Pierluigi Paganini February 03, 2016

Security Expert discovered that the Comodo Chromodo browser has ‘Same Origin Policy’ (SOP) disabled by default, if you are using it you are at risk.

Chromodo is the name of a free browser offered by the Comodo Antivirus firm, it is a customized version of Google’s Chrome browser developed to improve users’ security and privacy. Unfortunately this is not true, the Chromodo browser which is based on the Chromium open-source code is in fact affected by a serious security issue.

Tavis Ormandy, a security expert from Google, analyzed the Chromodo browser discovering a serious flaw that exposes users’ security. The flaw is related to the Same Origin Policy, a fundamental in the web application security model implemented to protect users’ browsing experience.

” The policy permits scripts running on pages originating from the same site – a combination of scheme, hostname, and port number – to access each other’s DOM with no specific restrictions, but prevents access to DOM on different sites.” reads Wikipedia.

Not implementing the Same Origin Policy, a code that runs on one website should be allowed to execute on another website with serious repercussions on the security perspective.

If you are using Chromodo, you must be aware that the browser has the same origin policy disabled.

“When you install Comodo Internet Security, by default a new browser called Chromodo is installed and set as the default browser. Chromodo is described as “highest levels of speed, security and privacy”, but actually disables all web security.” Ormandy wrote in a security advisory.

“Let me repeat that, they ***disable the same origin policy***…. ?!?.. To reproduce, do something like this:

<html>
<head></head>
<body>
<script>
function steal_cookie(obj)
{
    // Wait for the page to load
    setTimeout(function() {
        obj.postMessage(JSON.stringify({
            command: "execCode",
            code:    "alert(document.cookie)",
        }), "*");
    }, 2000);
}
</script>
<a href="javascript:steal_cookie(window.open('https://ssl.comodo.com/'))">Click Here</a>
</body>
</html>

With Same Origin Policy disabled an attacker can use a malicious script to perform a number of activities including taking over social media accounts and act on behalf of the victim.

Chromodo comodo Browser

Ormandy reported the issue Jan. 21 and, on Tuesday he revealed that Comodo tried to patch the issue in the Chromodo browser, in particular against an exploit he developed, but the fix doesn’t work.

Let’s wait for a definitive fix from the company.

Pierluigi Paganini

(Security Affairs –Chromodo, Same Origin Policy,)



you might also like

leave a comment