Opera in no hurry to close the vulnerability?
If you think that you are familiar with the HTML language and the principles of browsers, try answering the question for yourself right now - can the image inserted through the IMG tag redirect the page on which it is inserted? A strange question, you say. Nevertheless, the answer to it is not such an unambiguous "no", as it seems at first glance. In the Opera browser it is possible, which gives a huge field of activity to hijack user accounts, especially given the fact that the vulnerability is still not closed. And according to the statements of the Opera company, it will remain unclosed indefinitely.
What constitutes a vulnerability, as well as the official opinion of the Opera on this subject - under the cut.
(Opera users should be ready for redirects when opening a post, because they decided to check the vulnerability in the comments)
In early October , a vulnerability was discovered in the Opera 12 browser, which allows you to redirect the visitor to another site through the inserted picture and in a certain way given headers for it. The largest sites of the RuNet, allowing to insert pictures through URLs (for example, rutracker - link ), managed to attack through this visibility. Sites that I support myself were also attacked.
If an attacker can place a tag of the form in the code of the page being opened:
(where evil.com has a server under its control)
and give on request
')
then Opera browser without asking and without warning the user, will make the transition to this address.
And already there can be anything, starting from the login and password entry form in the design of the attacked resource. In the case of my sites, they required me to enter my phone number (I still did not understand why they needed it).
All sites that allow users to insert their pictures through URLs are exposed, and this is possible almost everywhere, starting with forums on phpbb, LiveJournal, Habrahabr (!) And ending with letters in mail.ru (where pictures in the letter are loaded by default).
In the dialogue of the representative of Opera in Russia, Ilya Shpankov ( shpankov ) and the administration of rutracker.org, the following statements were made:
“As it turned out, there is no vulnerability in Opera and the problem is not the result of errors in the browser, but together with the developers of Opera we found a solution on how to avoid similar problems in the future, and this solution will be applied to the soon expected new version of Opera 12.1”
He also quoted the words of Opera Software technical specialists:
“It’s customary in Opera to help sites, even when they are doing something wrong. Therefore, in Opera 12.10, we will disable following shortcuts in the content loaded inside the tag. This is exactly what the browser is expected to do, although in fact this is not described by any standard. So we will do what they want very soon. ”
The representative of Opera, it seems, or does not understand at all what browser security is and does not see the apparent threat that this bug represents. Or trying to make a good face on a bad game, because something hardly depends on him personally and he is unable to speed up the correction of this bug, so he is trying to save the face of the browser in this difficult situation.
It seems to me that a person who does not understand anything at all in the work of browsers would not be hired for such a position, therefore, he is more than confident that his behavior follows the second scenario.
As for the situation as a whole, everything is very, very sad. The Opera browser currently takes about 15% in Runet, while openly stating that “the problems of the sheriff’s blacks do not worry” and the redirection of sites the devil knows where “without a user's knowledge, is not a vulnerability”.
Explicit problems of users, for some reason, the developers call the problems of “site owners”. Although their product is not used by site owners, but by people whose personal information the browser Opera endangers.
Yes, they declare that the vulnerability will be fixed in the next browser release (12.10 stable?), But they don’t name the specific timing of its release. In the meantime, anyone - not even a hacker - any person at all, using the information about this vulnerability (published recently on RouTreker), can cause real problems and suffering for users of this browser.
What constitutes a vulnerability, as well as the official opinion of the Opera on this subject - under the cut.
(Opera users should be ready for redirects when opening a post, because they decided to check the vulnerability in the comments)
In early October , a vulnerability was discovered in the Opera 12 browser, which allows you to redirect the visitor to another site through the inserted picture and in a certain way given headers for it. The largest sites of the RuNet, allowing to insert pictures through URLs (for example, rutracker - link ), managed to attack through this visibility. Sites that I support myself were also attacked.
How does it work
If an attacker can place a tag of the form in the code of the page being opened:
(where evil.com has a server under its control)
and give on request
evil.com/evil.png evil.com/evil.png following header:')
Refresh: 0; url=data:application/internet-shortcut,[INTERNETSHORTCUT]%0D%0AURL=http://evil.com/then Opera browser without asking and without warning the user, will make the transition to this address.
And already there can be anything, starting from the login and password entry form in the design of the attacked resource. In the case of my sites, they required me to enter my phone number (I still did not understand why they needed it).
All sites that allow users to insert their pictures through URLs are exposed, and this is possible almost everywhere, starting with forums on phpbb, LiveJournal, Habrahabr (!) And ending with letters in mail.ru (where pictures in the letter are loaded by default).
Opera's official response
In the dialogue of the representative of Opera in Russia, Ilya Shpankov ( shpankov ) and the administration of rutracker.org, the following statements were made:
“As it turned out, there is no vulnerability in Opera and the problem is not the result of errors in the browser, but together with the developers of Opera we found a solution on how to avoid similar problems in the future, and this solution will be applied to the soon expected new version of Opera 12.1”
He also quoted the words of Opera Software technical specialists:
“It’s customary in Opera to help sites, even when they are doing something wrong. Therefore, in Opera 12.10, we will disable following shortcuts in the content loaded inside the tag. This is exactly what the browser is expected to do, although in fact this is not described by any standard. So we will do what they want very soon. ”
findings
The representative of Opera, it seems, or does not understand at all what browser security is and does not see the apparent threat that this bug represents. Or trying to make a good face on a bad game, because something hardly depends on him personally and he is unable to speed up the correction of this bug, so he is trying to save the face of the browser in this difficult situation.
It seems to me that a person who does not understand anything at all in the work of browsers would not be hired for such a position, therefore, he is more than confident that his behavior follows the second scenario.
As for the situation as a whole, everything is very, very sad. The Opera browser currently takes about 15% in Runet, while openly stating that “the problems of the sheriff’s blacks do not worry” and the redirection of sites the devil knows where “without a user's knowledge, is not a vulnerability”.
Explicit problems of users, for some reason, the developers call the problems of “site owners”. Although their product is not used by site owners, but by people whose personal information the browser Opera endangers.
Yes, they declare that the vulnerability will be fixed in the next browser release (12.10 stable?), But they don’t name the specific timing of its release. In the meantime, anyone - not even a hacker - any person at all, using the information about this vulnerability (published recently on RouTreker), can cause real problems and suffering for users of this browser.
Source: https://habr.com/ru/post/156315/
All Articles