Opera: What's Next (GM#005-OP)

From: GreyMagic Software (securityat_private)
Date: Tue Feb 04 2003 - 13:13:17 PST

Next message: Peter Huang: "dynamic and static code injection as well as population concept"

Previous message: GreyMagic Software: "Opera Images (GM#004-OP)"
Next in thread: Bjornar B. Larsen: "RE: Opera: What's Next (GM#005-OP)"
Reply: Bjornar B. Larsen: "RE: Opera: What's Next (GM#005-OP)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

GreyMagic Security Advisory GM#005-OP
=====================================

By GreyMagic Software, Israel.
04 Feb 2003.

Available in HTML format at http://security.greymagic.com/adv/gm005-op/.

Topic: Opera: What's Next.

Discovery date: 28 Jan 2003.

Affected applications:
======================

Opera 7 (final).


Introduction:
=============

Opera recently released a new version of its browser. 

Like any other browser, Opera supports the "history" object, which makes it
possible to navigate through the browser history by exposing the "back",
"forward", and "go" methods. 


Discussion: 
===========

Opera exposed a little more than a few methods on the history object. It
also exposes two properties, "next" and "previous". Unlike the methods
mentioned above, these properties contain actual URLs. 

This means that when a user navigates to a website, the owner can easily
check and log where the user had last been, and even where he went right
afterwards (in case the user goes back in history), regardless of whether
that previous URL referred to the owner's web site or not. 

Notice that "history.previous" is not the same as the "HTTP_REFERER" header.
It will return the last URL even if it was not the direct referrer to the
current URL, which makes Opera's "Enable referrer logging" configuration
option completely pointless. 

That's a serious breach of privacy, which Opera seemed to have implemented
intentionally. 


Exploit: 
========

The following code demonstrates how to retrieve these properties: 

alert("Last URL: "+history.previous+".\nNext URL: "+history.next+"."); 


Demonstration:
==============

A proof-of-concept demonstration of this issue is available at
http://security.greymagic.com/adv/gm005-op/.


Solution: 
=========

Hopefully, Opera will reconsider these properties and remove them from the
history object. Until then you may prefer to disable Javascript by going to:
File -> Preferences -> Multimedia, and uncheck the "Enable JavaScript" item.

Tested on: 
==========

Opera 7 NT4.
Opera 7 Win98.
Opera 7 Win2000.
Opera 7 WinXP.


Disclaimer: 
===========

The information in this advisory and any of its demonstrations is provided
"as is" without warranty of any kind. 

GreyMagic Software is not liable for any direct or indirect damages caused
as a result of using the information or demonstrations provided in any part
of this advisory. 


Feedback: 
=========

Please mail any questions or comments to securityat_private 

- Copyright © 2003 GreyMagic Software.

Next message: Peter Huang: "dynamic and static code injection as well as population concept"
Previous message: GreyMagic Software: "Opera Images (GM#004-OP)"
Next in thread: Bjornar B. Larsen: "RE: Opera: What's Next (GM#005-OP)"
Reply: Bjornar B. Larsen: "RE: Opera: What's Next (GM#005-OP)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Feb 04 2003 - 13:13:18 PST