Google researcher Tavis Ormandy has disclosed that the Chromodo browser installed with Comodo Internet Security disables the same-origin policy by default.
The same-origin policy is a fundamental tenet of web security, ensuring that scripts access data from a second webpage only if the two pages have the same origin.
“Chromodo is described as ‘highest levels of speed, security and privacy,’ but actually disables all web security. Let me repeat that, they ***disable the same origin policy***…. ?!?..” Ormandy wrote in an advisory published Tuesday by Google’s Project Zero research team.
Chromodo is built upon Google’s open source Chromium code base. The Comodo browser is installed as the default browser on machines where it’s installed, along with replacing all shortcuts with Chromodo links.
“They also hijack DNS settings, among other shady practices,” Ormandy wrote.
The issue was reported Jan. 21 and subject to Project Zero’s 90-day disclosure deadline, but yesterday Comodo published what Ormandy determined was an incomplete hotfix. The vendor, Ormandy said, removed a particular API he used in a proof-of-concept exploit.
“This is obviously an incorrect fix, and a trivial change makes the vulnerability still exploitable,” Ormandy said. “After ‘discussion’ with Comodo (I can’t really get any response from them, but I’m trying), I’ll consider this bug fixed and file a new bug with the trivial bypass of their fix as a new issue.”
The same-origin policy is an indispensible part of browser security. Its use restricts the ability of documents or scripts to interact with content from other origins based on URI scheme, hostname, port number and more.