Pwning Opera Unite with Inferno's Eleven ---------------------------------------- Complete Post at http://securethoughts.com/2009/08/pwning-opera-unite-with-infernos-eleven/ Opera Unite, the upcoming version of the Opera browser has a strong vision to change how we look at the web. For those who are unknown to this radical technology, it extends your browser into a full-blown collaboration suite where you can chat with people, leave notes, share files, play media, host your sites, etc. (Wow!!). Opera Unite comes bundled with a bunch of standard services such as Fridge (Notes), The Lounge (chatroom), etc. It is important to understand that these services have two distinct views. One view is of the Service Owner, who installs, customizes and runs these services on his or her computer. The service owner and the computer running these services have associated identifiers. By default, computer name is "home". So, your administrative homepage is http://admin.home.uid.operaunite.com/. Remember that even though the protocol of communication looks like http, it is not. Opera relays all traffic using a proprietary ucp protocol (encrypted) to asd.opera.com and auth.opera.com (no protocol details except here). The other view is of the Service Page which is used by your users (friends, customers, etc) to access your selected content. These trusted users can access your services from any browser (not just opera unite) and uses the plain http protocol. The service homepage is http://home.uid.operaunite.com/. I was fascinated by this idea, so I decided to look at the security aspects of the product (while it was in beta). Here are my findings in no particular priority order (tested on 10.00 Beta 3 Build 1703). 1. Enumerating Service Owner Usernames 2. Enumerating Computer names for a particular Service Owner 3. Enumerating Service Owner Server IP address and Port number 4. Hijacking Insecure Communication in Service Pages 5. Hosting Phishing Pages and other Malware on Trusted Operaunite.com 6. CSRF-ing a File Upload from a Trusted User 7. CSRF-ing a Note on the Fridge 8. CSRF-Ing anyuserid to join a chatroom 9. XSS ing the unite-session-id cookie, works for almost all services 10. Clickjacking any Service Page 11. Inconsistency in Password Policy for some services Read details at http://securethoughts.com/2009/08/pwning-opera-unite-with-infernos-eleven/ Thanks and Regards, Inferno Security Researcher SecureThoughts.com
