Pierluigi Paganini
February 03, 2016
Chromodo is the name of a free browser offered by the Comodo Antivirus firm, it is a customized version of Google’s Chrome browser developed to improve users’ security and privacy. Unfortunately this is not true, the Chromodo browser which is based on the Chromium open-source code is in fact affected by a serious security issue.
Tavis Ormandy, a security expert from Google, analyzed the Chromodo browser discovering a serious flaw that exposes users’ security. The flaw is related to the Same Origin Policy, a fundamental in the web application security model implemented to protect users’ browsing experience.
” The policy permits scripts running on pages originating from the same site – a combination of scheme, hostname, and port number – to access each other’s DOM with no specific restrictions, but prevents access to DOM on different sites.” reads Wikipedia.
Not implementing the Same Origin Policy, a code that runs on one website should be allowed to execute on another website with serious repercussions on the security perspective.
If you are using Chromodo, you must be aware that the browser has the same origin policy disabled.
“When you install Comodo Internet Security, by default a new browser called Chromodo is installed and set as the default browser. Chromodo is described as “highest levels of speed, security and privacy”, but actually disables all web security.” Ormandy wrote in a security advisory.
“Let me repeat that, they ***disable the same origin policy***…. ?!?.. To reproduce, do something like this:
<html>
<head></head>
<body>
<script>
function steal_cookie(obj)
{
// Wait for the page to load
setTimeout(function() {
obj.postMessage(JSON.stringify({
command: "execCode",
code: "alert(document.cookie)",
}), "*");
}, 2000);
}
</script>
<a href="javascript:steal_cookie(window.open('https://ssl.comodo.com/'))">Click Here</a>
</body>
</html>
With Same Origin Policy disabled an attacker can use a malicious script to perform a number of activities including taking over social media accounts and act on behalf of the victim.
Selling antivirus doesn’t qualify you to fork chromium, you’re going to screw it up. https://t.co/Dd0sqhRxwi #antivirus #wtf
— Tavis Ormandy (@taviso) 2 Febbraio 2016
Ormandy reported the issue Jan. 21 and, on Tuesday he revealed that Comodo tried to patch the issue in the Chromodo browser, in particular against an exploit he developed, but the fix doesn’t work.
Let’s wait for a definitive fix from the company.
(Security Affairs –Chromodo, Same Origin Policy,)
