The developers of PrivDog released an update for the application on Monday after researchers discovered that it failed to validate SSL certificates.
PrivDog is designed to make surfing the Web safe and private by blocking processes that track users’ activities and by replacing ads with ones that have been vetted by AdTrustMedia. It’s not uncommon for advertising-related apps to put users at risk, but this shouldn’t be the case with PrivDog since the software is backed by Comodo, the renowned security firm and certificate authority. PrivDog is not only promoted by the company, but it’s also bundled with Comodo solutions.
The existence of the security issue came to light just days after the world learned that Lenovo had preloaded an insecure browser add-on from Superfish on new laptops. The Superfish app used a local proxy and a self-signed root certificate to intercept traffic and inject ads into webpages.
The problem, as highlighted by security experts, was that the program broke HTTPS browsing and exposed users to man-in-the-middle (MitM) attacks because all of the certificates had been signed with the same private key protected by the same weak password.
After a detailed analysis, researchers discovered that the vulnerability had been caused by libraries developed by Komodia. These libraries have been used in at least a dozen other applications and even malware.
PrivDog doesn’t use the libraries from Komodia, but a different third party component which, according to experts, is just as problematic. Because it doesn’t validate SSL certificates, the application exposes users to HTTPS spoofing attacks.
“The MITM capabilities are provided by NetFilterSDK.com. Although the root CA certificate is generated at install time, resulting in a different certificate for each installation, Privdog does not use the SSL certificate validation capabilities that the NetFilter SDK provides. This means that web browsers will not display any warnings when a spoofed or MITM-proxied HTTPS website is visited,” the CERT Coordination Center at Carnegie Mellon University explained in an advisory.
In an advisory published on Monday, PrivDog noted that the issue affects versions 3.0.96.0 and 3.0.97.0, but it does not impact the plugin distributed with Comodo Browsers. The company highlighted that while the flaw caused browsers not to trigger warnings for self-signed certificates, it did not break encryption.
The updated version of PrivDog can be downloaded from the official website, but it is also distributed automatically, the company said.
According to PrivDog, the vulnerability impacts up to 57,568 users, roughly 6,000 of which are located in the United States.
CloudFlare’s Filippo Valsorda has updated his Superfish testing tool to allow users to check if they are running vulnerable versions of PrivDog.
