Following fellow author Mark Williamson’s exposé of the Superfish adware pre-installed on Lenovo PCs (Lenovo Distributes Adware on New PCs), news is coming to hand of further instances of Superfish-like intrusions. The most concerning aspect of the more recent revelations is that these intrusions are reportedly even worse than Superfish and emanating from reputable security vendors.
PrivDog is a privacy protection software available as a standalone product for the 3 major browsers – Chrome, Internet Explorer, and Firefox – and also comes bundled with various Comodo products, including Comodo Dragon, Comodo IceDragon, and Comodo Internet Security.
What makes PrivDog an even bigger threat than Superfish is that it intercepts every certificate and replaces it with one signed by its own root key, including certificates that weren’t valid in the first place. This means your browser will just accept every HTTPS certificate thrown at it, making it even easier for attackers to forge trusted credentials that impersonate Banks, Google, or any other HTTPS-protected destination on the Internet.
Lavasoft is involved too!
This behavior has also been identified in Lavasoft’s Adware Web Companion, a free browser add-on available for Chrome, Internet Explorer, and Firefox. Apparently, these companies are utilizing an SSL (Secure Socket Layer) interception module from an Israel-based source called Komodia. Komodia’s website says it produces a “hijacker” that allows users to view data encrypted with SSL technology.:
The hijacker uses Komodia’s redirector platform to allow you easy access to the data and the ability to modify, redirect, block, and record the data without triggering the target browser’s certification warning.
Marc Rogers, a researcher with CloudFlare, has said this means companies which deploy Komodia technology can snoop on web traffic:
These guys can do everything from just collect a little bit of marketing information, all the way to building a profile on you and spying on your banking connections. It’s a very dangerous slope.
Komodia’s website is currently offline, displaying the following message:
Site is offline due to DDOS with the recent media attention. Some people say it’s not DDOS but a high volume of visitors, at the logs it showed thousand of connections from repeating IPs.
** NOTE: PrivDog has since issued an advisory which states that only the PrivDog stand-alone version is affected and Comodo is utilizing a different version which does not include the vulnerability.
This potential issue is only present in PrivDog versions, 220.127.116.11 and 18.104.22.168. The potential issue is not present in the PrivDog plug-in that is distributed with Comodo Browsers and Comodo has not distributed this version to its users. <source>
The addition of Komodia into the equation certainly complicates the situation. I can’t help wondering how many more so-called browser safety add-ons/software might be utilizing Komodia’s interception technology.
- You can check installed browsers for all three vulnerabilities – Superfish, PrivDog, and Komodia – here: https://filippo.io/Badfish/
Seems we, as users, not only have to worry about cybercriminals and malware but also about what so-called reputable companies are getting up to as well.
Trust no one! ~ Wikipedia