Chromodo browser disables key web security
Wed 3 Feb 2016
A Google Security Research update has claimed that Comodo’s internet browser Chromodo, based on the open-source project Chromium, contains significant security failings and puts its users at risk.
On the launch of the Chrome web browser seven years ago, many third-party developers designed their own version of the service by customising certain settings, in order to improve user privacy for example. As one of those companies, Comodo released its own amended version, the Comodo Dragon, claiming optimised speed, privacy and security for users.
In 2015, Comodo launched a further Chromium-based web browser, named Chromodo, principally updating design. As Comodo did not release details about the technical differences between the two browsers, it is difficult to assess whether other structural changes were made.
This week’s Google alert suggested that the Chromodo browser – available as a standalone download, as well as part of the company’s Security package – is in fact less secure than it promises. According to analysis, the browser is disabling the Same Origin policy, hijacking DNS settings, and replacing shortcuts with Chromodo links, among other security violations.
‘The same origin policy is basically disabled for all of your customers, which means there is no security on the web […] this is about as bad as it gets. If the impact isn’t clear to you, please let me know,’ a message to Comodo read.
The critical Same Origin security policy allows for the restriction of how files and scripts loaded from one origin are able to interact with those from other origins. Pages have the same origin if they share identical protocols, ports and hosts.
In the case of the Chromodo browser, the same origin is not taken into account which means resources hosted on third-party sites can interact with another resource as if it came from the same origin. If exploited, this failure could potentially lead to the theft of cookies and other data.