Products::Security

• Security
  • News
  • Vulnerabilities
    • Internet Explorer
    • Opera
    • Other
    • Mozilla Firefox
  • Online Tools
    • Script Decoder
  • Subscribe
• Products
  • Composica Enterprise
• Contact

GreyMagic Security Advisory GM#005-OP

By GreyMagic Software, Israel.
04 Feb 2003.

Topic: Opera: What's Next.

Discovery date: 28 Jan 2003.

Affected applications:

Opera 7 (final).

Introduction:

Opera recently released a new version of its browser.

Like any other browser, Opera supports the "history" object, which makes it possible to navigate through the browser history by exposing the "back", "forward", and "go" methods.

Discussion:

Opera exposed a little more than a few methods on the history object. It also exposes two properties, "next" and "previous". Unlike the methods mentioned above, these properties contain actual URLs.

This means that when a user navigates to a website, the owner can easily check and log where the user had last been, and even where he went right afterwards (in case the user goes back in history), regardless of whether that previous URL referred to the owner's web site or not.

Notice that "history.previous" is not the same as the "HTTP_REFERER" header. It will return the last URL even if it was not the direct referrer to the current URL, which makes Opera's "Enable referrer logging" configuration option completely pointless.

That's a serious breach of privacy, which Opera seemed to have implemented intentionally.

Exploit:

The following code demonstrates how to retrieve these properties:

alert("Last URL: "+history.previous+".\nNext URL: "+history.next+".");

Demonstration:

Press the button below in order to view the previous and next entries in the history object. For a better demonstration of this flaw browse to a different web site and then hit the back button.

Solution:

Hopefully, Opera will reconsider these properties and remove them from the history object. Until then you may prefer to disable Javascript by going to: File -> Preferences -> Multimedia, and uncheck the "Enable JavaScript" item.

Tested on:

Opera 7 NT4.
Opera 7 Win98.
Opera 7 Win2000.
Opera 7 WinXP.

Disclaimer:

The information in this security advisory and any of its demonstrations is provided "as is" without warranty of any kind.

Vulnerability details are provided strictly for educational and defensive purposes.

GreyMagic Software is not liable for any direct or indirect damages caused as a result of using the information or demonstrations provided in any part of this advisory.

Stay informed:

Subscribe to GreyMagic's early notification email service and be informed of new vulnerabilities and updates as soon as they appear on the site.

Press here to subscribe.

Your privacy is important to us, read our Privacy Statement.

Copyright © 2008 GreyMagic Software