Google has called out prominent digital certificates and security vendor Comodo for disabling web security with its web browser, putting users at risk of having their systems compromised by attackers.
Comodo markets several web browsers, aimed at boosting security, speed and privacy. The company also offers other security software such as firewalls and anti-virus utilities.
Google's Project Zero researchers found the Chromodo web browser, installed as part of the Comodo Internet Security suite and based on the open source Chromium software, dsiables the same-origin policy.
Same-origin policy is a cornerstone in web security that stops code on untrusted web sites from interfering with user sessions on other sites, if the scheme, host, or port of a URL link changes between pages.
The researchers found that not only does Chromodo disable same-origin policy, the browser installation also replaces existing browser shortcuts with its own versions.
All Chrome settings are imported along with cookies, and Chromodo also changes domain name system resolver settings, the Google researchers said, without users being notified.
"Chromodo is described as [providing the] "highest levels of speed, security and privacy", but actually disables all web security," they wrote.
"Let me repeat that, they ***disable the same origin policy***.... ?!?."
They posted proof of concept code to demonstrate the vulnerability.
Comodo was notified about the glaring vulnerability in Chromodo with a 90-day deadline before disclosure as per Project Zero's policy, and published a fix that stopped the proof of concept code from working.
The Google team, however, said the fix was incorrect, and trivial changes to the code will make the vulnerability still exploitable.
Comodo had its security practices questioned five years ago, after several of its digital certificate resellers were hacked and false credentials were issued that could be used to intercept Transport Layer Security (TLS) protected communications.
Last year, the company was found to have issued TLS certificates with banned internal names and RFC 1918 private network addreses, which too could be used to facilitate man in the middle interception attacks.
Update 4.2.16: Comodo provided the below statement to iTnews.
"The vulnerability was not with Comodo or the Chromodo browser itself, but rather with an add on. It has been fixed and addressed. Comodo is releasing an update of Chromodo today without the add-on, removing any issues and the update will go to all current Chromodo users as well.
"As an industry, software in general is always being updated, patched, fixed, addressed, improved – it goes hand in hand with any development cycle. What is critical in software development is how companies address an issue if a certain vulnerability is found – ensuring it never puts the customer at risk. At Comodo, the customer always comes first.”