Opera Receives DevSecOps All-Star Award at SnykCon 2020

News Opera Receives DevSecOps All-Star Award at SnykCon 2020 Share October 28th, 2020 AtSnykCon 2020, Opera received the DevSecOps All-Star Award for leveraging Snyk to bring a complete and fully automated DevSecOps process into a secure software development lifecycle. Opera was represented by...

How private is a private window?

Privacy How private is a private window? Share October 15th, 2020 Alice and Bob find themselves in a shared living-space, where long-held secrets are at risk of being revealed. TL;DR: skip to the conclusions to see what Alice learned. The Privacy Problem Alice and Bob recently decided to take the...

Bypass a restriction in OfA 54 – Opera Security Advisories

Opera for Android before 54.0.2669.49432 is vulnerable to a sandboxed cross-origin iframe bypass attack. By using a service working inside a sandboxed iframe it is possible to bypass the normal sandboxing attributes. This allows an attacker to make forced redirections without any user interaction...

Opera becomes part of the CNA program

News Opera becomes part of the CNA program Share December 13th, 2019 Usually, Friday the 13th is considered to be an unlucky day. However, this is not the case for Opera, as we have great news, especially for security researchers and all security-minded Opera fans. We are proud to announce that...

Flow is seamless and secure – security features explained

Security Flow is seamless and secure – security features explained Share August 28th, 2018 Some of you may already be familiar with Flow, the new feature that allows you to quickly and seamlessly share images, links and videos between your Opera browser for computers and your Opera Touch mobile...

DLL hijacking and the Opera browser

Security DLL hijacking and the Opera browser Share March 10th, 2017 Recently, a collection of documents was released online, which was claimed to have originated with a major World power. The documents listed hacking vectors that could be used to inject code into major operating systems and...

Opera server breach incident

News Opera server breach incident Share August 26th, 2016 Earlier this week, we detected signs of an attack where access was gained to the Opera sync system. This attack was quickly blocked. Our investigations are ongoing, but we believe some data, including some of our sync users’ passwords and...

Opera 12 and Opera Mail security update

Security Opera 12 and Opera Mail security update Share February 16th, 2016 We realize that those of you on old operating systems like Windows XP SP1 and older are left without much choice beyond using our Presto-based browser. With security standards on the web changing so much we didn’t want to...

Developer 32: Protecting against yourself

Security Developer 32: Protecting against yourself Share June 18th, 2015 Remember the SuperFish scandal? A third party application installed a Certificate Authority on PCs, and then hijacked all secure connections by serving browsers certificates from this local certificate authority. The SuperFi...

Dealing with FREAK and SuperFish

Security Dealing with FREAK and SuperFish Share March 10th, 2015 The FREAK TLS attack Following the trend of memorable names for TLS attacks, FREAK was recently announced. This exploits a bug in some TLS libraries, combined with the support of ancient weak ciphers, to enable a MitM to force...

Optimizing encrypted video

Security Optimizing encrypted video Share February 25th, 2015 You might have seen our press release that Opera’s Rocket Optimizer can now optimize encrypted video streams. The attentive reader will already have halted and said, “wait, what?”. In this blog post, we’ll explain how this works. Rocke...

Heartbleed and other heartaches

Security Heartbleed and other heartaches Share April 11th, 2014 As has been reported extensively already, OpenSSL just fixed a serious vulnerability, dubbed Heartbleed. OpenSSL is used in a variety of products used on the internet, including Opera products and servers. We want to share with you h...

Thanks to the researchers 2014

Research Thanks to the researchers 2014 Share January 31st, 2014 Each year, a number of researchers offer their assistance to help us tighten the security of our wide array of websites. We would like to take this opportunity to thank the researchers and testers of 2014 for their assistance in...

New home for the Security Group blog

News New home for the Security Group blog Share October 31st, 2013 Welcome to the new home of the Opera Security Group. We have changed our blogging platform. For more more information regarding the switch, please see this post. If you received this blog post in your feed reader, you do not need ...

Replaced code signing certificate – Opera Security Advisories

Opera Software recently experienced an attack on the internal infrastructure. Following best practices, Opera Software is replacing signing certificates in Opera with newly issued certificates. Certificates in Opera include the code signing certificate for desktop binaries and the signing...

CORS requests can incorrectly retrieve contents of cross origin pages – Opera Security Advisories

CORS Cross-Origin Resource Sharing allows web pages to retrieve the contents of pages from other sites, with their permission, as they would appear for the current user. When requests are made in this way, the browser should only allow the page content to be retrieved if the target site sends the...

Internet shortcuts used for phishing in elements – Opera Security Advisories

Websites may occasionally want to display image content from untrusted sources. A phishing attack may be carried out by the untrusted source, by displaying malicious instructions on the image, or by navigating the containing page to a similar looking document on another server. Since some image...

A combination of clicks and key presses can lead to cross site scripting or code execution – Opera Security Advisories

When a user double clicks on a page, they may expect the two clicks to target the same object. If a page uses the first click to open a pop-up window in a predictable location, the second click may focus parts of the new window, such as its address field. If the page can then convince the user to...

Hidden keyboard navigation can allow cross site scripting or code execution – Opera Security Advisories

When a user is interacting with a window, that window should be visible to the user, to ensure that the user realizes it is there. If a page is displayed in a small enough window, the user may not realize it is being displayed, and if the right keyboard sequence is carefully followed, they can en...

History.state can leak the state data from cross domain pages – Opera Security Advisories

When a site uses history.pushState and history.replaceState to add or replace history entries, it can also provide optional data, which may typically be used to restore the given state when the user navigates through their browser history. When pages with cross-domain frames use this functionalit...

Small windows can be used to trick users into executing downloads – Opera Security Advisories

When the download dialog is displayed, it should always be visible to the user, to ensure that the user realizes it is there. If the dialog is displayed in a small enough window, the user may not realize it is being displayed, and if the right keyboard sequence is carefully followed, they can end...

Web page content may overlap the address field – Opera Security Advisories

The browser’s user interface contains several pieces of security information. To preserve this information correctly, web page content should not be able to display over the user interface. Certain styling can cause Opera to allow the content to be displayed outside the page, over the address...

Changing from a single-user to a multi-user installation on Windows (rev2) – Opera Security Advisories

Changing from a single-user to a multi-user installation on Windows rev2 – Opera Security Advisories OPCOM Team | January 5, 2012 If you received the error message “There was a problem initializing Opera Mail. Engine Init Failed”, it may mean that you have a stand-alone USB installation of Opera...

Issue with error pages can cause a system crash – Opera Security Advisories

When attempting to resolve a URL which cannot be interpreted as a legal URL, Opera will create an error page to display to the user when they load it. If enough invalid URLs can be created, Opera can use up all available disk space with these error pages, causing the browser or operating system t...

Web pages can gain limited access to files on the user’s computer – Opera Security Advisories

Web pages can gain limited access to files on the user’s computer – Opera Security Advisories OPCOM Team | January 25, 2011 Severity High Description Certain types of HTTP responses and redirections can cause Opera to mistakenly give elevated privileges to remote web pages. These pages can then u...

Certain DOM manipulations can allow execution of arbitrary code – Opera Security Advisories

Certain DOM manipulations can allow execution of arbitrary code – Opera Security Advisories OPCOM Team | January 4, 2011 Severity High Description Various unexpected DOM manipulations can cause Opera to crash. In some cases, these crashes can occur in a way that allows execution of arbitrary code...

Web page content can display misleading security information – Opera Security Advisories

Dialogs such as the security information dialog and download dialog are displayed over the top of the webpage content. In some cases, webpage content will be incorrectly displayed on top of the dialogs, or over parts of the dialogs. This content can then display misleading security information,...

Private video streams can be intercepted – Opera Security Advisories

Private video streams can be intercepted – Opera Security Advisories OPCOM Team | October 6, 2010 Severity Moderate Description Video content may be used as filler content for a HTML5 canvas, if the video format is natively supported by Opera. If the video and page are from the same site, the...

Manipulating the window can be used to spoof the page address – Opera Security Advisories

Manipulating the window can be used to spoof the page address – Opera Security Advisories OPCOM Team | October 6, 2010 Severity Low Description Web page scripts can be used to alter the size of the browser window. In some cases, this manipulation can cause the wrong part of the Web page address t...

Unexpected changes in tab focus can be used to run programs from the Internet – Opera Security Advisories

Unexpected changes in tab focus can be used to run programs from the Internet – Opera Security Advisories OPCOM Team | August 12, 2010 Severity Moderate Description Tabs may be used to obscure a download dialog that is visible in another tab. The dialog will allow the user to choose to run...

News feed preview can subscribe to feeds without interaction – Opera Security Advisories

News feed preview can subscribe to feeds without interaction – Opera Security Advisories OPCOM Team | August 12, 2010 Severity Low Description When Opera is previewing a news feed, certain types of content do not have their scripts removed correctly. These scripts are able to subscribe the user t...

File inputs can disclose the path to selected files – Opera Security Advisories

File inputs can disclose the path to selected files – Opera Security Advisories OPCOM Team | June 29, 2010 Severity Less severe Description When a file is selected in a file upload input, the path to that file is not exposed through the input’s value property. This is done to protect any sensitiv...

Users can be tricked into uploading unexpected files – Opera Security Advisories

Users can be tricked into uploading unexpected files – Opera Security Advisories OPCOM Team | June 29, 2010 Severity Less severe Description Plug-ins may be used to seed the system clipboard with paths to a target file, while the user may not expect that to be the contents of the clipboard. If th...

Data URIs can be used to allow cross-site scripting – Opera Security Advisories

Data URIs can be used to allow cross-site scripting – Opera Security Advisories OPCOM Team | June 22, 2010 Severity Highly severe Description Data URIs are allowed to run scripts that manipulate pages from the site that directly opened them. In some cases, the opening site is not correctly...

HTTP Content-Length header can be used to execute arbitrary code – Opera Security Advisories

HTTP Content-Length header can be used to execute arbitrary code – Opera Security Advisories OPCOM Team | March 17, 2010 Affected versions This vulnerability affects Opera for Microsoft Windows. Severity Highly Severe Description Large values in the HTTP Content-Length header can cause Opera to...

Error messages can leak onto unrelated sites – Opera Security Advisories

Scripting error messages are normally available only to the page that caused the error. In some cases, the error messages could be passed to other sites as the contents of unrelated variables, and may contain sensitive information. If those sites write the content into the page markup, this could...

Web fonts can be used to spoof the page address – Opera Security Advisories

In some cases, a Web font intended to be used for page content could be incorrectly used by Opera to render parts of the user interface, including the address field. This can be used by a malicious site to display a false domain name in the address field...

Specially crafted JPEG images can be used to execute arbitrary code – Opera Security Advisories

Specially crafted JPEG images can be used to execute arbitrary code – Opera Security Advisories OPCOM Team | February 25, 2009 Severity Extremely Severe Problem Description Specially crafted JPEG images can cause Opera to corrupt memory and crash. Successful exploitation can lead to execution of...

Feed subscription can cause the wrong page address to be displayed – Opera Security Advisories

Feed subscription can cause the wrong page address to be displayed – Opera Security Advisories OPCOM Team | December 16, 2008 Severity Not Severe Problem Description It has been reported that when a user subscribes to a news feed using the feed subscription button, the page address can be changed...

Insecure pages can show incorrect security information – Opera Security Advisories

Insecure pages can show incorrect security information – Opera Security Advisories OPCOM Team | December 16, 2008 Severity Less Severe Problem Description When insecure pages load content from secure sites into a frame, they can cause Opera to incorrectly report the insecure site as being secure...

Newsfeed prompt can cause Opera to execute arbitrary code – Opera Security Advisories

Newsfeed prompt can cause Opera to execute arbitrary code – Opera Security Advisories OPCOM Team | December 16, 2008 Severity Highly Severe Problem Description When Opera encounters a newsfeed source on a Web page, it prompts to add the source as a newsfeed. A script can manipulate the feed sourc...

Malformed JPEG headers can be used to execute arbitrary code – Opera Security Advisories

Malformed JPEG headers can be used to execute arbitrary code – Opera Security Advisories OPCOM Team | December 16, 2008 Severity Extremely Severe Problem Description A specially crafted JPEG header can cause Opera to crash, allowing execution of arbitrary code. Opera’s Response Opera Software has...

Manipulating text input contents can allow execution of arbitrary code – Opera Security Advisories

Manipulating text input contents can allow execution of arbitrary code – Opera Security Advisories OPCOM Team | December 15, 2008 Severity Extremely Severe Problem Description Manipulating certain text-area contents can cause a buffer overflow, which may be exploited to execute arbitrary code...

HTML parsing flaw can cause Opera to execute arbitrary code – Opera Security Advisories

HTML parsing flaw can cause Opera to execute arbitrary code – Opera Security Advisories OPCOM Team | December 15, 2008 Severity Extremely Severe Problem Description Certain HTML constructs can cause the resulting DOM to change unexpectedly, which triggers a crash. To inject code, additional...

Built-in XSLT templates can allow cross-site scripting – Opera Security Advisories

Built-in XSLT templates can allow cross-site scripting – Opera Security Advisories OPCOM Team | December 15, 2008 Severity Highly Severe Problem Description Built-in XSLT templates incorrectly handle escaped content and can cause it to be treated as markup. If a site accepts content from untruste...

Script injection in feed preview can reveal contents of unrelated news feeds – Opera Security Advisories

Script injection in feed preview can reveal contents of unrelated news feeds – Opera Security Advisories OPCOM Team | December 15, 2008 Severity Highly Severe Problem Description When Opera is previewing a news feed, some scripted URLs are not correctly blocked. These can execute scripts which ar...

Pages held in frames are able to change the location of pages in unrelated frames on the parent page – Opera Security Advisories

Pages held in frames are able to change the location of pages in unrelated frames on the parent page – Opera Security Advisories OPCOM Team | June 11, 2008 Severity: Less Severe Problem Description: Pages from different sources held on the same parent page should not be able to modify the locatio...

Certain characters can obscure the page address – Opera Security Advisories

Certain characters can obscure the page address – Opera Security Advisories OPCOM Team | June 9, 2008 Severity: Less Severe Problem Description When a page address contains certain characters, they can cause the page address text to be misplaced. In some cases, this could make characters be...

Information displayed in the security field should be approached with caution. – Opera Security Advisories

Information displayed in the security field should be approached with caution. – Opera Security Advisories OPCOM Team | February 9, 2007 Summary Even though a Certificate Authority has verified and signed it, a usershould not trust the Organization name without checking the domain name.A fraudule...

A forged SSL server certificate can be accepted by Opera as a valid certificate – Opera Security Advisories

A forged SSL server certificate can be accepted by Opera as a valid certificate – Opera Security Advisories OPCOM Team | September 21, 2006 Summary: A forged SSL server certificate can be accepted by Opera as a valid certificate. Severity: Highly critical Vulnerable versions: Opera for desktop...