In an advisory published today, a Google engineer has pointed out that security firm’s Comodo suite of tools to stay safe online actually exposes users to possible attacks.
Tavis Ormandy, an information security engineer at Google, reports that the Comodo Internet Security suite installs a new browser called Chromodo and sets it as default during setup.
Ormandy says that when you install Comodo Internet Security, “All shortcuts are replaced with Chromodo links and all settings, cookies, etc are imported from Chrome. They also hijack DNS settings, among other shady practices.”
What’s especially worrying is that Chromodo disables Chrome’s same-origin policy, which allows a script to access data in another script only if they’re both from the same site.
Without this setting in place, users are vulnerable to attackers who could attempt to intercept their traffic via malicious sites.
Shortly after the Lenovo Superfish adware fiasco last February, Comodo was found adding man-in-the-middle code to its app which caused affected machines to trust self-signed certificates — making it easy for hackers to snoop on users’ information.
If you’ve got Comodo Internet Security installed on your computer, you’re probably better off not using its included browser right now.
Update: Charles Zinkowski, director of corporate communications for Comodo, said in a statement:
The vulnerability was not with Comodo or the Chromodo browser itself, but rather with an add-on. It has been fixed and addressed. Comodo is releasing an update of Chromodo today (Wednesday) without the add-on, removing any issues and the update will go to all current Chromodo users as well.
As an industry, software in general is always being updated, patched, fixed, addressed, improved – it goes hand in hand with any development cycle. What is critical in software development is how companies address an issue if a certain vulnerability is found – ensuring it never puts the customer at risk. At Comodo, the customer always comes first.