Category Archives: Articles

“Taking Control of Your Application Security”

  Application security is hard. Finding the right people to perform application security work and manage the program is even harder. The application security space has twice as many job openings as candidates. Combined that with the fact that for every 200 software engineers there is only 1 security professional, how do we staff a … Continue reading Taking Control of Your Application Security

Chromodo Browser Disables Same-Origin Policy

Google researcher Tavis Ormandy has disclosed that the Chromodo browser installed with Comodo Internet Security disables the same-origin policy by default.

The same-origin policy is a fundamental tenet of web security, ensuring that scripts access data from a second webpage only if the two pages have the same origin.

“Chromodo is described as ‘highest levels of speed, security and privacy,’ but actually disables all web security. Let me repeat that, they ***disable the same origin policy***…. ?!?..” Ormandy wrote in an advisory published Tuesday by Google’s Project Zero research team.

Chromodo is built upon Google’s open source Chromium code base. The Comodo browser is installed as the default browser on machines where it’s installed, along with replacing all shortcuts with Chromodo links.

“They also hijack DNS settings, among other shady practices,” Ormandy wrote.

The issue was reported Jan. 21 and subject to Project Zero’s 90-day disclosure deadline, but yesterday Comodo published what Ormandy determined was an incomplete hotfix. The vendor, Ormandy said, removed a particular API he used in a proof-of-concept exploit.

“This is obviously an incorrect fix, and a trivial change makes the vulnerability still exploitable,” Ormandy said. “After ‘discussion’ with Comodo (I can’t really get any response from them, but I’m trying), I’ll consider this bug fixed and file a new bug with the trivial bypass of their fix as a new issue.”

The same-origin policy is an indispensible part of browser security. Its use restricts the ability of documents or scripts to interact with content from other origins based on URI scheme, hostname, port number and more.