Citrio Browser? Avoid it.

Avoid Citrio. 

That’s all you really need to know but, if you’re anything like me, you’ll want to know why so I’ll keep writing just in case some of you are still reading.

However, this isn’t exactly a review anymore. Now it’s more like a story, a definite departure from my usual style.

Why? Because if you’re reading this I want you to understand exactly what happened and why I’m telling you that I’d rather put my hand down a garbage disposal with a faulty switch than surf the web with Citrio.

If alarms aren’t sounding off, they should be.

It’s rare I can’t find something positive or encouraging to say, especially about products that are supposedly still in development, and I shy away from posting negative reviews the way other people avoid using the office pen with the chewed cap melded to the end of it.

This is a negative review. In fact, it’s probably the most negative review I’ve ever given but I think it’s imperative to avoid the Citrio Browser. That’s right, not only do I not recommend it, I’m advising you to avoid it.

As many of you know, we like to test, review and promote free and open source software. As a result, we’re often contacted by companies asking us to review their products. While there are some products we’ve chosen not to promote for various reasons, I don’t think we’ve ever quite had a situation like this and I wasn’t keen on a public review. I was so not keen on it, I even contacted the company to make further inquiries, thinking maybe there was some explanation.

But I’m jumping ahead, poor storyteller that I am, so let me go back to where it all began.

Like I said, this is usual for us. We get these requests all the time. About a dozen of us (with varying technical knowledge, located in several countries and testing at differing times over a period of a few months) decided to try Citrio. The result? Every single one of us rejected it, and that has never happened before.

Why was Citrio rejected? Not because it’s another Chromium clone drowning in an already flooded market. Not because it’s bundling the install but adding no value that can’t be improved upon by choosing better extensions from the Chrome store yourself. Not because it comes with the privacy-invading Ask Toolbar. Not because the boasts of it being faster with quicker downloads aren’t true (the original Chromium Browser easily outperforms it at every level) or because it’s orange. (I actually like orange, even if I’m the only one.) The rejections weren’t even based on the fact that an outdated version of the Chromium build would make it a security risk, even if Citrio was “100% clean” as claimed during later inquiries.

We didn’t reject it for any of the reasons you might think but, even with eleven testers in unanimous agreement, I’ll speak only for myself when I say that my problems with Citrio begin and end with this statement, screenshot taken from their site:

No you don’t, I can prove it and now I’m calling you out. 

Citrio’s online web installer can read as clean when scanned by security apps but that doesn’t stop malware from invading during the installation process or during its use once installed, setting off every single security app each of our testers used.

I know some of you just spit whatever it was you were drinking on your keyboards. I’m sorry. Please go dry your keyboards and change your shirts. Fair warning, it doesn’t get better from here:

Citrio has the dubious distinction of being the only browser we ever tested to get firewall alerts.

Oh and then there’s stuff like this happening during the installation, prompting me to wonder the obvious: Should a simple browser installation be setting off security by attempting to make outbound connections universally flagged as malicious by every security app our testers use? (Answer: No.)

Note to self: Drop Malwarebytes a thank you and post another great review about them soon. 

In case you’re interested, here’s the info on that IP address that’s trying to establish an outbound connection during the install. Over a dozen of these alerts popped up like a fireworks display, quicker than any of us could screenshot them and resulting in many blocked outbound connection attempts. I’m sorry but what kind of plague are you again? Because I can think of no good reason why a browser install should set off enough alarms for a major fire.

Citrio comes with pre-loaded extensions as part of the package they pitch for their “100% clean” browser and it’s a problem.

Check out those mind-boggling permissions. Guess there’s little wonder why I’d turn off that Ask Toolbar, huh? But wait – there’s more.

What’s a NewsHub? Let’s investigate… until security informs us that it’s malicious, that is.

Here’s the info on the IP address that NewsHub is trying to contact.

Upon further investigation, NewsHub (whose site prompts you to install their toolbar) has a privacy policy that’s a strong indicator as to why it’s being identified as malicious and blocked. It seems that NewsHub collects your personal data (without clarifying which data, why or what they do with it) and retains the right to ownership of your data for its own not clearly defined use, including never having to delete any and all of the data it collects about you.

NewsHub also makes money off paid advertising and admittedly shares your information with its vendors and advertisers, which is why it insists data security cannot be guaranteed. By data they mean your data, just in case of this is confusing, which is that same data about you that their “systems may associate with your activities”.

I guess “NewsHub” sounded better than “Big Brother” when they were thinking up a name for this “value added service” Citrio bundled into its supposedly privacy-conscious, safety-oriented browser they claim is designed to protect you. This must be Citrio’s idea of that safer surfing thing they were talking about in their grand statement designed to create that public trust they seem to be exploiting instead.

Let’s just sit with that for a moment and let it all sink in.

As I mentioned before, I wanted to be fair. Surely there was some kind of explanation as to why this browser wasn’t faster, better, quicker to download, didn’t respect privacy, was a security risk based on an inferior build, came pre-loaded with questionable extensions identified as malicious processes, used up more resources than it should, and set off every firewall and security alert from installation to attempted use, right?

Of course, I emailed Bruna at Citrio to inquire and this was her response.

Straight up, why would a clean, safe Chromium-based browser need to be whitelisted in the first place? Bruna not only sidestepped the issues, she also attempted to get me to do her homework for her, asking me to name the security apps we used and the Citrio processes they were detecting as malicious. I found this particularly ballsy of Bruna as Citrio chose those processes and obviously knows which ones they are.

Which leads me back to this – Remember the screenshot on Citrio’s site? It said:

Citrio respects your privacy and doesn’t gather any of your personal information. The browser is designed to keep you safe and secure on the web with built-in malware and phishing protection, as well as automatic updates that make sure you have all the latest security fixes.

That statement is there to create trust. 

Citrio is making a promise to the public. They are telling you that they will keep your privacy protected and their product ensures your safety, security and protection. Problem is, that’s not what’s happening here and what pains me is that the trust they talk about seems to be nothing more than a sales pitch cloaking a lie instead; a deception, and users may pay the price for it by unknowingly and unwillingly sacrificing protection, safety, security and personal information.

This was my response to Bruna.

I realize I’ve shown you that I already know about some of these processes, even if she continues to foolishly bet that I don’t; however, I wanted to give her the opportunity to come clean and explain what’s going on. So now that I’ve defined our roles in this matter more clearly, how does Bruna choose to respond to my direct and easy to understand question, “What do you have running in the background or as an extension that makes every security app on eleven machines in seven countries go on high alert and block this browser?” 

She reiterates the party line and simply opts out.

Throughout our correspondence, Bruna attempts to redirect me without answering any of my pointed questions or realistically addressing my concerns. Notice she hasn’t once offered any evidence – no independent test results, no benchmarking, no data, no whitelist information, nothing – to support any of Citrio’s claims to fame and she provides no evidence to back her insistence that Citrio is “100% clean” and not a risk or threat to users.

She never names or discusses even one malicious process, even though her company added them so they clearly know exactly which ones they are and what they do.  Instead, I’m just supposed to take her word for it that everybody’s security apps went off multiple times by mistake. All eleven of us. Because. And she wants me (and you and everyone else) to believe that those alerts are just false positives that need to be corrected when she contacts those trusted big-name companies that lead the security industry. The kind you would have contacted first and already been whitelisted by.

I can’t imagine why any browser, much less a safe one, would require such things but Bruna will continue to invoke her magic word spell anyway, thinking that if she just keeps repeating “Citrio is 100% clean” enough times that would suddenly make it true, even when it’s obviously not.

Of course, I decided to poke around on the internet. A quick search revealed good reviews; however upon closer inspection, they were blurbs from Citrio’s site instead. Wilder Security forums highlight Citrio’s security risks, such as the addition of the notoriously intrusive Ask Toolbar, warnings from Web of Trust, and that Citrio was blocked by Adguard.

Even more disturbing, Reddit not only echoes those concerns, they also out Citrio employees for creating dummy accounts to write fake positive reviews for their own browser. This explains those “reviews that aren’t reviews but are actually Citrio site blurbs” I was seeing before. Reddit users go on to discuss other fishy aspects of Citrio, including the various trustworthy security software it sets off and the suggestions made by dummy accounts as fixes for this, which sound even dodgier than the alerts themselves.

One Reddit user deftly points out that Citrio is owned by a marketing company called Epom (also shown as Citrio’s publisher in the firewall screenshot above) and Citrio’s site confirms its distribution relationship with Epom, Ltd.

Of course I wanted to know more about the marketing company that was distributing this safe, secure browser that protected its users’ privacy.

Epom’s business is ads. They are a marketing company that collects and distributes information, using direct and indirect advertising methods to increase potential sales for the businesses that hire them, while offering full branding and whitelabeling. So what, you say?

Why is a browser – touted for its protection, privacy and safety – setting off constant security alerts, from installation to use, by willingly including malicious elements (such as but not limited to extensions that collect, store and use personal data) being distributed exclusively by a marketing company driven by data mining?

At best, that seems a conflict of interest. All things considered, it comes off like a cleverly packaged and promoted data collection scheme that contradicts Citrio’s statement of trust promised to its users.

Then I read the Geeksided review by Jacob Long about his poor experiences with Citrio. Its dead links to now-deleted pages from Citrio’s site piqued my interest but this is what really grabbed my attention and I quote:

“The Reddit poster notes that upon installation, 5 hidden extensions begin downloading silently in the background. These apparently don’t look nefarious and the code is visible.
However, when the browser is first launched, another extension is sneakily downloaded. This one lacks open code and requires permission to view several Google webpages, particularly those that involve commerce, like Google Wallet. “

“While we can’t say so conclusively, it seems a lot like this browser was developed to collect and track its users’ information for the purpose of selling ads. The business about accessing Google Wallet pages is even more concerning, but the info collection scheme alone is more underhanded than Google, who at least makes it clear that you are storing your information with them.”

That, my friends, is not good.

Taking the dead links as a warning that Citrio likes to delete things from their site, I smartly grabbed screenshots of everything I cited in this article, complete with time/date stamps. If you’re reading this and a link no longer works or you can’t access the information here, please contact me and I will happily include the screenshots I’ve taken.

I wasn’t sure how to respond to Bruna’s last email to me.

It’s clear she expected me to take her word for Citrio’s unsubstantiated claims and wasn’t about to discuss this browser’s real security issues.

I did the one thing she wouldn’t do; which, in my mind, was the only sensible thing to do.

I responded with proof to refute her.

We’ve heard nothing from anyone associated with Citrio.

My final thoughts are simple. It’s important for the public to look into matters before handing over their trust. For users, it’s essential to make smart choices. For companies begging reviews, this is a cautionary tale to be careful what you ask for. You might get it.

Avoid Citrio. Surf smarter. Stay safer. Gen out.

Edit [4 March 2015]  The reasons to avoid the Citrio browser just keep coming. 

11 thoughts on “Citrio Browser? Avoid it.

  1. You say this isn't a review but I'd argue that. This is a great review and a fine public service.
    – Some Tech Guy

  2. I have experienced a documented major privacy security issue with Citrio browser on my third day of assessing it. It is fast and clean though pretty much Chrome Clone. When I selected a search engine for Citrio, Google displayed my choice in box. Beside the box is a place for keyword, In the box was my Google Password.
    Here is the scary part. I never registered with Citrio. I never used Google mail or news in Citrio. My password
    is two unrelated words separated by a symbol, strong password. I was shocked. Stunned I am looking at my Google password. Angry I contacted Google who shrugged to Citrio to offload issue. Citrio really shocked me. I received an email from all people, the CEO of Citrio JACK FAIN. Before inquiring and details or what happened, he spent the first and only paragraph assuring their was nothing wrong with their security in their Citrio Browser….WOW I could not believe the ego on this guy.. The concept of a community of users working to identify and work through problems to improve software is foreign to these people. they are THAT GOOD.
    Imagine seeing your password from another product in your face when setting up a browser.!!!
    YOU TELL ME…RUN FROM THESE PEOPLE…THEY HAVE FAILURE WRITTEN ALL OVER THEIR FUTURE.
    Any serious response to this message that wished to see proof I will be happy to provide it. Just ask.

  3. Major Major Security Issue. When I advised by general support email, I received a blustery defensive response from Jack Fain, Citrio's CEO. With a singles question he assure their was nothing wrong with the security of their browser. WRONG. This browser reveal passwords of users at the IP addess while setting up search engines.
    I have the proof in the form of screenshots and is reproducible.
    Run from this browser.

  4. I would like to see that proof. Thanks for all of the help people. I almost downloaded this horrible product; then I decided to use my God given brain and do some research first. I want the proof to help spread the word. They are trying to auto install this program on people's computers who are in the BitCoin community. You go to certain bitcoin sites and they will try and install this program on your computer w/out asking for permission/consent. Oh yea…investingdotcomsucksballs@yahoo.com <---yes that website also ticked me off =)

  5. Not two hours ago, Citrio sent me a very sophisticated and tempting invitation to download its product. I'm normally a fairly cautious individual and I have had more than one piece of malicious software invade my computer in the past, so before succumbing to their siren call, I went searching for knowledgeable input regarding Citrio, and found your review, Gen. Thanks very much for your post, you saved me a real headache! Thanks as well to all in this string who shared their experiences with this POS.

  6. Thanks for a great in depth review, was is the process of installing citrio whilst reading this article. Safe to say I stopped it immediately and deleted everything related to it including running multiple scans.

    Thanks again

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s