Researcher Finds Flaw in Comodo’s Custom Security Browser

Security vendor Comodo has long developed a customized version of Google’s Chrome browser based on the Chromium open-source code. In a recent claim, security researcher from Google revealed a significant flaw in the security-centric browser.

After analyzing Comodo’s Chromodo browser, Tavis Ormandy, an information security engineer at Google unearthed a staggering flaw in the browser. Touted as a browser variant of Chrome with added security and privacy controls, Chromodo is often seen as a beefed up version of Chrome with the additional security measures.

However, Ormandy discovered that the browser contains a flaw, a significant one, that fundamentally violates one of the basic principles of web security.

Same Origin Policy

Fundamentally, same origin policy implies that code that runs on one side shouldn’t be allowed to execute on a different website. Such an event would pose a security risk and browsers inherently contain variants of the same energy policy, which are enabled.

However, as Ormandy revealed in an advisory, the same origin policy was found to be disabled in Chromodo.

Explaining how The Chromodo browser comes into a user’s computer, Ormandy wrote:

When you install Comodo Internet Security, by default a new browser called Chromodo is installed and set as the default browser. Additionally, all shortcuts are replaced with Chromodo links and all settings, cookies, etc are imported from Chrome. They also hijack DNS settings, among other shady practices.

Comodo is one of the largest dispensers of SSL/TLS certifcates which are meant to encrypt data traffic. The brand is also one synonymous with consumer-end security products.

Ormandy writes:

Chromodo is described as “highest levels of speed, security and privacy”, but actually disables all web security. Let me repeat that, they  ***disable the same origin policy***…. ?!?..

While Ormandy normally gives companies 90 days-notice to patch a flaw prior to a public reveal, it is notable that the engineer started writing about Chromodo’s vulnerability in January 2016.

The security researcher revealed that despite repeated attempts to have a discussion with Comodo, he hasn’t gotten a proper response from the company. The researcher also tried his own exploit, to which Comodo pushed an update that he deemed was an ‘incorrect fix.’

As things stand, the vulnerability in Chromodo still exists, according to the security researcher.