Following fellow author Mark Williamson’s exposé of the Superfish adware pre-installed on Lenovo PCs (Lenovo Distributes Adware on New PCs), news is coming to hand of further instances of Superfish-like intrusions. The most concerning aspect of the more recent revelations is that these intrusions are reportedly even worse than Superfish and emanating from reputable security vendors.
PrivDog is a privacy protection software available as a standalone product for the 3 major browsers – Chrome, Internet Explorer, and Firefox – and also comes bundled with various Comodo products, including Comodo Dragon, Comodo IceDragon, and Comodo Internet Security.
What makes PrivDog an even bigger threat than Superfish is that it intercepts every certificate and replaces it with one signed by its own root key, including certificates that weren’t valid in the first place. This means your browser will just accept every HTTPS certificate thrown at it, making it even easier for attackers to forge trusted credentials that impersonate Banks, Google, or any other HTTPS-protected destination on the Internet.
Lavasoft is involved too!
This behavior has also been identified in Lavasoft’s Adware Web Companion, a free browser add-on available for Chrome, Internet Explorer, and Firefox. Apparently, these companies are utilizing an SSL (Secure Socket Layer) interception module from an Israel-based source called Komodia. Komodia’s website says it produces a “hijacker” that allows users to view data encrypted with SSL technology.:
The hijacker uses Komodia’s redirector platform to allow you easy access to the data and the ability to modify, redirect, block, and record the data without triggering the target browser’s certification warning.
Marc Rogers, a researcher with CloudFlare, has said this means companies which deploy Komodia technology can snoop on web traffic:
These guys can do everything from just collect a little bit of marketing information, all the way to building a profile on you and spying on your banking connections. It’s a very dangerous slope.
Komodia’s website is currently offline, displaying the following message:
Site is offline due to DDOS with the recent media attention. Some people say it’s not DDOS but a high volume of visitors, at the logs it showed thousand of connections from repeating IPs.
** NOTE: PrivDog has since issued an advisory which states that only the PrivDog stand-alone version is affected and Comodo is utilizing a different version which does not include the vulnerability.
This potential issue is only present in PrivDog versions, 3.0.96.0 and 3.0.97.0. The potential issue is not present in the PrivDog plug-in that is distributed with Comodo Browsers and Comodo has not distributed this version to its users. <source>
The addition of Komodia into the equation certainly complicates the situation. I can’t help wondering how many more so-called browser safety add-ons/software might be utilizing Komodia’s interception technology.
- You can check installed browsers for all three vulnerabilities – Superfish, PrivDog, and Komodia – here: https://filippo.io/Badfish/
Seems we, as users, not only have to worry about cybercriminals and malware but also about what so-called reputable companies are getting up to as well.
Trust no one! ~ Wikipedia
Jim, I wonder if using a trusted VPN would prevent such threats, Mindblower!
Used the link to check my Firefox Browser I use in my Mint VM, it said it was OK. Lenovo and with their reputation. Looks like they need some more engineers to build their PC’s. Interesting article. Daniel.
Jim, I have a ? What is the security difference between a http and a https web site address? I know the https web address has a lock that can be ticked to view the web sites certificate. Daniel.
Basically, HTTPS adds encryption to data traveling between parties. It is the result of layering HTTP over TLS (Transport Layer Security). TLS requires the use of certificates and keys for authentication purposes and that is what the likes of PrivDog, Komodia, etc. are interfering with.
https://en.wikipedia.org/wiki/HTTP_Secure
https://en.wikipedia.org/wiki/Transport_Layer_Security
I guess the only real secure connection is to just stay off the internet. Thanks for the info. Daniel.
Jim, I know this is not the place to ask this ? but while we are on the subject of certificates, I used this command (certmgr.msc). I was really interested in the Untrusted Certificates. What does all these entries really mean when it comes to PC security. Daniel.
Consider that as Microsoft’s blacklist which is used to keep you away from those sites.