Eli Grey

Opera UXSS vulnerability regression

Opera users were vulnerable to a publicly-disclosed UXSS exploit for most of 2010-2012.

I privately disclosed a UXSS vulnerability (complete SOP bypass) to Opera Software in April 2010, and recently discovered that Opera suffered a regression of this issue and continued to be vulnerable for over two years after disclosure. The vulnerability was that data: URIs could attain same-origin privileges to non-opening origins across multiple redirects.

I asked for a status update 50 days after disclosing the vulnerability, as another Opera beta release was about to be published. Opera responded by saying that they were pushing back the fix.

I publicly disclosed the vulnerability with a PoC exploit on Twitter on June 15, 2010. This was slightly irresponsible of me (at least I included a kill switch), but please keep in mind that I was 16 at the time. The next week, Opera published new mainline releases (10.54 for Windows/Mac and 10.11 for Linux) and said that those releases should fix the vulnerability. I tested my PoC and it seemed to be fixed.

Shortly after, this vulnerability regressed back into Opera without me noticing. I suspect that this was due to the rush to fix their mainline branch, and lack of coordination between their security and release teams. The regression was caught two years later by M_script on the RDot Forums, and documented in English by Detectify Labs.

Opera Software’s management should not have allowed this major flaw to regress for so long.

One Comment (add yours)

  • Eli,

    I am creating a site for writing that allows students to pull up their final product in Word format. A programmer used your the A saveAs() FileSaver implementation you programmed to accomplish this. Unfortunately, what he programmed wouldn’t work on iPhones or iPads. He claimed he needed to use net.core. There have been a lot of issues with net.core and php, and I understand that JavaScript can work with iPhones and iPads if you used the Javascript window open method. Is this something I can incorporate into your program or into the into the other files? Do you have any experience using this method with iPhones or iPads? Please let me know.

Leave a Reply