Products::Security

GreyMagic Security Advisory GM#007-OP

By GreyMagic Software, Israel.
03 Jun 2004.

Topic: Phishing for Opera.

Discovery date: 16 May 2004.

Affected applications:

Opera 7.50 and prior.

Introduction:

Most browsers today implement a "Shortcut Icon" (favicon) feature. This feature gives web-sites the option to add a small icon to the address bar and/or favorites.

Opera also implements this feature. However, unlike other browsers, Opera allows the use of icons that may be large in width.

Discussion:

It is possible to use this feature in Opera to fool users into believing that they are in a domain they trust (their bank, web-mail, etc) while serving and receiving content in a hostile domain. Thereby enabling identity theft, credit card scams and more.

This can be done by creating an icon that contains the text of the desired site, which would be similar in appearance to the way Opera shows addresses in the address bar.

This alone, however, is not enough, as it will cause the real address to appear to the right of the fake address. Unfortunately, this too can be circumvented by tricking Opera into showing the right-hand side of the attacking URL, while filling that side with spaces.

The result is a very convincing fake address appearing in the address bar.

Exploit:

Create an image that looks like an address in Opera's address bar and use the following element to include it in a page:

<link rel="shortcut icon" href="linkToFakeAddress.gif">

Demonstration:

Follow the link to open a window to the fake host "www.this-is-a-fake.address".

Solution:

GreyMagic informed Opera of the vulnerability on 19-May-2004. A new version (7.51) was released on 03-Jun-2004 to address this problem.

Credit:

This vulnerability was found and researched in cooperation with Tom Gilder.

Tested on:

Opera 7.23.
Opera 7.50.

Disclaimer:

The information in this security advisory and any of its demonstrations is provided "as is" without warranty of any kind.

Vulnerability details are provided strictly for educational and defensive purposes.

GreyMagic Software is not liable for any direct or indirect damages caused as a result of using the information or demonstrations provided in any part of this advisory.

Stay informed:

Subscribe to GreyMagic's early notification email service and be informed of new vulnerabilities and updates as soon as they appear on the site.

Press here to subscribe.

Your privacy is important to us, read our Privacy Statement.

Copyright © 2008 GreyMagic Software
Hosted by VPW Systems UK - Specialist Internet Services Provider