Comodo’s PrivDog advertising software leaves some users at risk

PrivDog, Comodo’s advertising replacement software, has been flagged by researchers as a risk due to the way it handles SSL connections (often referred to as HTTPS). Like Superfish, PrivDog breaks the trust and protection of HTTPS by using its own certificate as a replacement.

The fact that Comodo, both a security vendor and certificate authority, controls PrivDog’s development and promotes it doesn’t sit well with experts.

If this seems familiar, it is. Last week Lenovo was in the spotlight for pre-installing visual advertising software created by Superfish Inc. that broke SSL. What Comodo has done is similar, but it’s a different problem when considering the bigger picture.

babawere

It’s important to note that researchers have determined that the issue with PrivDog doesn’t exist on pre-bundled installs with Comodo’s software.

The concern is that users who install the software on its own, directly from the PrivDog website, are doing so with the expectation they’re protected from malicious ads and privacy issues. But researchers are making the argument that PrivDog creates privacy problems from the moment it is installed.

The software is performing a TLS Man-in-the-Middle, and does so without any verification.

This means PrivDog will accept every self-signed certificate and replace it with its locally installed root certificate. While the problem isn’t as widespread as the Lenovo issue, it still could impact hundreds of thousands of people, given that Comodo is a popular security company known for offering free products.

Researcher Johannes (Hanno) Böck, published a blog disclosing the issues surrounding PrivDog on Sunday. In it, the post outlines how the software creates a situation that could be worse than the one created by Lenovo with their Superfish software:

“A quick analysis shows that [PrivDog] doesn’t have the same flaw as Superfish, but it has another one which arguably is even bigger. While Superfish used the same certificate and key on all hosts PrivDog recreates a key/cert on every installation. However here comes the big flaw: PrivDog will intercept every certificate and replace it with one signed by its root key. And that means also certificates that weren’t valid in the first place. It will turn your Browser into one that just accepts every HTTPS certificate out there, whether it’s been signed by a certificate authority or not.”

“There are some things that are completely weird. When one surfs to a webpage that has a self-signed certificate (really self-signed, not signed by an unknown CA) it adds another self-signed cert with 512 bit RSA into the root certificate store of Windows. All other [certificates] get replaced by 1024 bit RSA [certificates] signed by a locally created PrivDog CA.”

PrivDog is maintained by AdTrustMedia, LLC, located in Watchung, NJ. They’re a Comodo Group company, so Salted Hash has reached out to Comodo for comments and explanations. This post will be updated if they respond.

In related news, Lenovo released an automated removal tool for Superfish on Friday, shortly after Superfish CEO, Adi Pinhas went on the attack against claims that his company’s software was a security risk.

Update:

US CERT has published an advisory on the problem. In response to recent reports, PrivDog has released an update (version 3.0.105.0) to address the problems identified by researchers.

The update will also go out automatically to the 57,568 people who were impacted, identified as users of PrivDog versions, 3.0.96.0 and 3.0.97.0.