Google security boffins have thrown the book at Comodo for turning off Chrome security.
As explained in this advisory today, users who install Comodo Internet Security may not realize that their Chrome installation is replaced with Comodo's own browser, Chromodo.
That little bit of crapware isn't secure at all: it's set as the default browser, and "all shortcuts are replaced with Chromodo links and all settings, cookies, etc are imported from Chrome. They also hijack DNS settings, among other shady practices," Google's Tavis Ormandy notes.
Chromodo is promoted as a "private browser" on Comodo's website, but it's not only not private, it's not remotely safe to use, because it also disables Chrome's same-origin policy.
The same-origin policy enforces a rule that one script can only access data in another script if they're both from the same site. Without it, users are exposed to malicious sites sniffing private data.
Google went public with the
feature bug because Comodo was unresponsive, we're told.
It's not the first time Comodo's been called out for crapware. In 2015, its PrivDog browser was slapped down by the US Department of Homeland Security for man-in-the-middling users' SSL sessions.
Given that Comodo is also a certificate authority, bypassing end user security is a serious breach of trust. If you've got Comodo's browser installed on your machine, get rid of it. ®