[NT] Sniffing Opera's Tracks

From: support@securiteam.com
Date: 02/10/03

  • Next message: support@securiteam.com: "[NT] Opera's "What's Next" Method Reveals Sensitive Information"
    From: support@securiteam.com
    To: list@securiteam.com
    Date: 10 Feb 2003 15:34:04 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    Beyond Security would like to welcome Tiscali World Online
    to our service provider team.
    For more info on their service offering IP-Secure,
    please visit http://www.worldonline.co.za/services/work_ip.asp
    - - - - - - - - -

      Sniffing Opera's Tracks
    ------------------------------------------------------------------------

    SUMMARY

    Opera recently released a new version of its browser.

    The new browser features a very useful JavaScript console, which uses a
    few methods Opera implemented in the "opera" object.

    A vulnerability in the "opera" object allows a website owner to include a
    JavaScript code that will track down the user's complete navigating
    history.

    DETAILS

    Vulnerable systems:
     * Opera version 7.0 under the Windows operating system

    Immune systems:
     * Opera version 7.01 under the Windows operating system

    These methods appear in the comments of the "console.html" file as
    follows:
    opera.errorIndex()

     * Returns the index of the last error message. This index is
    monotonically increasing (which limits us to about 2^53 errors per Opera
    session).

     * opera.errorMessage(i)
    Returns the error message at index i. The value returned may be #f, if
    that message has been flushed from the cache.

    Opera had not bothered to restrict these methods to certain credentials
    and they are available for any web page to use. At first glance, this does
    not appear to be a big deal, but a short inspection of the generated error
    messages reveals that each of them contains the URL that threw the
    exception.

    In practice, this means that a web page can extract a list of all URLs the
    user had visited and that threw any exceptions. In addition, since Opera
    pretends to be Internet Explorer by default, it often encounters errors in
    web pages. Harvesting visited URLs had never been this simple.

    Exploit:
    The following code will generate a list of visited URLs:
    var sMsg,
        sFinal="",
        iLen=opera.errorIndex();

    for (var iErr=0;iErr<iLen;iErr++) {
        sMsg=opera.errorMessage(iErr);
        if (sMsg && /(https?:\/\/\S+)/i.test(sMsg)) sFinal+=RegExp.$1+"\n";
    }
    alert(sFinal);

    Solution:
    Until a patch becomes available, disable JavaScript by going to: File ->
    Preferences -> Multimedia, and uncheck the "Enable JavaScript" item.

    ADDITIONAL INFORMATION

    The original advisory can be found at:
     <http://security.greymagic.com/adv/gm006-op/>
    http://security.greymagic.com/adv/gm006-op/

    The information has been provided by <mailto:security@greymagic.com>
    GreyMagic Software.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



    Relevant Pages

    • Re: run another function after sorttable
      ... Opera) and browse around for a bit. ... Using Opera 10.5 (which is likely younger than most of the scripts it ... column 103 in <anonymous function: ... Opera has modified the JavaScript on msdn.microsoft.com (MSDN menus are ...
      (comp.lang.javascript)
    • Re: RegEx qualifiers
      ... (i.e. the respective JavaScript interpreter) ... JScript: 3.1.3510 ... JSCore: 525.19 ... Opera: 5.02 ...
      (comp.lang.javascript)
    • [NEWS] Several JavaScript Vulnerabilities Found in Opera
      ... Several JavaScript Vulnerabilities Found in Opera ... This makes it possible for a script in certain web page to access cookies ...
      (Securiteam)
    • Re: Event wanted after page is refreshed
      ... JavaScript task is running, with the exception of Opera. ... A reflow is not a redraw. ...
      (comp.lang.javascript)
    • Re: Experiences with FreeRTOS?
      ... looks like less than 0.2% of visitors have javascript off. ... MSIE 6 - 55% ... Opera 9.10 - 1% ... But with FF, it's a matter of clicking on the browser's little red "update" icon, downloading a three or four MB, and restarting the browser - regardless of the system. ...
      (comp.arch.embedded)