Want to keep the TNW Conference vibe going?? Tickets for TNW2022 are available now >>

The heart of tech

This article was published on February 3, 2016

Google says Comodo’s ‘secure’ browser isn’t safe to use at all

Google says Comodo’s ‘secure’ browser isn’t safe to use at all
Abhimanyu Ghoshal
Story by

Abhimanyu Ghoshal

Managing Editor

Abhimanyu is TNW's Managing Editor, and is all about personal devices, Asia's tech ecosystem, as well as the intersection of technology and Abhimanyu is TNW's Managing Editor, and is all about personal devices, Asia's tech ecosystem, as well as the intersection of technology and culture. Hit him up on Twitter, or write in: [email protected].

In an advisory published today, a Google engineer has pointed out that security firm’s Comodo suite of tools to stay safe online actually exposes users to possible attacks.

Tavis Ormandy, an information security engineer at Google, reports that the Comodo Internet Security suite installs a new browser called Chromodo and sets it as default during setup.

Ormandy says that when you install Comodo Internet Security, “All shortcuts are replaced with Chromodo links and all settings, cookies, etc are imported from Chrome. They also hijack DNS settings, among other shady practices.”

What’s especially worrying is that Chromodo disables Chrome’s same-origin policy, which allows a script to access data in another script only if they’re both from the same site.

Without this setting in place, users are vulnerable to attackers who could attempt to intercept their traffic via malicious sites.

Shortly after the Lenovo Superfish adware fiasco last February, Comodo was found adding man-in-the-middle code to its app which caused affected machines to trust self-signed certificates — making it easy for hackers to snoop on users’ information.

If you’ve got Comodo Internet Security installed on your computer, you’re probably better off not using its included browser right now.

Update: Charles Zinkowski, director of corporate communications for Comodo, said in a statement:

The vulnerability was not with Comodo or the Chromodo browser itself, but rather with an add-on. It has been fixed and addressed. Comodo is releasing an update of Chromodo today (Wednesday) without the add-on, removing any issues and the update will go to all current Chromodo users as well.

As an industry, software in general is always being updated, patched, fixed, addressed, improved – it goes hand in hand with any development cycle. What is critical in software development is how companies address an issue if a certain vulnerability is found – ensuring it never puts the customer at risk. At Comodo, the customer always comes first.

➤ Comodo “Chromodo” Browser disables same origin policy, Effectively turning off web security [Google Code via The Register]

Also tagged with