Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

PrivDog Releases Update After Being Compared to Superfish

The developers of PrivDog released an update for the application on Monday after researchers discovered that it failed to validate SSL certificates.

The developers of PrivDog released an update for the application on Monday after researchers discovered that it failed to validate SSL certificates.

PrivDog is designed to make surfing the Web safe and private by blocking processes that track users’ activities and by replacing ads with ones that have been vetted by AdTrustMedia. It’s not uncommon for advertising-related apps to put users at risk, but this shouldn’t be the case with PrivDog since the software is backed by Comodo, the renowned security firm and certificate authority. PrivDog is not only promoted by the company, but it’s also bundled with Comodo solutions.

The existence of the security issue came to light just days after the world learned that Lenovo had preloaded an insecure browser add-on from Superfish on new laptops. The Superfish app used a local proxy and a self-signed root certificate to intercept traffic and inject ads into webpages.

The problem, as highlighted by security experts, was that the program broke HTTPS browsing and exposed users to man-in-the-middle (MitM) attacks because all of the certificates had been signed with the same private key protected by the same weak password.

After a detailed analysis, researchers discovered that the vulnerability had been caused by libraries developed by Komodia. These libraries have been used in at least a dozen other applications and even malware.

PrivDog doesn’t use the libraries from Komodia, but a different third party component which, according to experts, is just as problematic. Because it doesn’t validate SSL certificates, the application exposes users to HTTPS spoofing attacks.

“The MITM capabilities are provided by NetFilterSDK.com. Although the root CA certificate is generated at install time, resulting in a different certificate for each installation, Privdog does not use the SSL certificate validation capabilities that the NetFilter SDK provides. This means that web browsers will not display any warnings when a spoofed or MITM-proxied HTTPS website is visited,” the CERT Coordination Center at Carnegie Mellon University explained in an advisory.

In an advisory published on Monday, PrivDog noted that the issue affects versions 3.0.96.0 and 3.0.97.0, but it does not impact the plugin distributed with Comodo Browsers. The company highlighted that while the flaw caused browsers not to trigger warnings for self-signed certificates, it did not break encryption.

Advertisement. Scroll to continue reading.

The updated version of PrivDog can be downloaded from the official website, but it is also distributed automatically, the company said.

According to PrivDog, the vulnerability impacts up to 57,568 users, roughly 6,000 of which are located in the United States.

CloudFlare’s Filippo Valsorda has updated his Superfish testing tool to allow users to check if they are running vulnerable versions of PrivDog.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Hear from experts as they explore the latest trends, challenges and innovations in Attack Surface Management.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Barbara Larson has joined SentinelOne as Chief Financial Officer.

Amy Howland has been named Partner and CISO at Guidehouse.

Exabeam has appointed Kish Dill as Chief Customer Success Officer.

More People On The Move

Expert Insights