Besides computer manufacturer Lenovo, also security software developer Comodo appears to bundle adware with their software that intercepts SSL traffic. The impact of the Comodo bundled adware is however much bigger than of Lenovo’s Superfish, according to security researcher Hanno Bock. Comodo is best know from their Comodo Internet Security and Comodo Dragon Browser software. With some of these applications the software developer bundles PrivDog adware.
Like Superfish also PrivDog intercepts HTTPS traffic to inject advertisements of “reliable parties”. Last year the HTTPS traffic filter feature was already discussed on the Comodo forum. After the Lenovo SuperFish scandal this software is now also in the spotlight because an user found out the PrivDog software has similar functionality. An user wanted to test his computer for Superfish adware and found that despite that he didn’t have the adware installed, his HTTPS traffic was intercepted. He discovered his computer contained PrivDog adware.
PrivDog doesn’t contain the same vulnerability as Superfish, which uses a weak certificate with a weak password to protect the private key of its certificate, but according to Bock a much more severe vulnerability. Although Superfish uses the same certificate and key for all installations, PrivDog generate a different key and certificate for each installation. The biggest issue is that PrivDog intercepts each certificate and replaces it with a self-signed certificate.
Replaced certificates are also certificates that aren’t even valid. This causes every browser to accept the HTTPS certificate regardless whether its been signed by a Certificate Authority (CA) or not. “We’re still trying to figure out the details, but it looks pretty bad”, Bock notices. The researcher also mentions that it’s strange that Comodo, which is a CA itself, bundles the adware with its own software.
“This makes this case especially interesting because Comodo itself is a certificate authority”, the researcher concludes.
Also the CERT Coordination Center (CERT/CC) of the Carnegie Mellon University now warns for PrivDog. An attacker is able to spoof HTTPS sites and intercept HTTPS traffic without the user receiving any certificate warning, according to CERT/CC. The organisation advizes users to remove PrivDog which also removes the affected root certificate.