Opera asks for my keychain password on macOS – what do I do? Opera 53 has a new signing certificate

Security Opera asks for my keychain password on macOS – what do I do? Opera 53 has a new signing certificate Share May 30th, 2018 Hello, We would like to let you know that we have updated our software signing certificate from Opera Software ASA to Opera Software AS. This is why your macOS is aski...

Opera installer mistakenly marked as malicious

Security Opera installer mistakenly marked as malicious Share February 22nd, 2017 During the past few days some of our users have contacted us raising the concern that the Qihoo 360 Total Security anti-virus software has been labelling the Opera installer executable for Windows as some form of...

Legacy Opera Presto source code appearance in online sharing sites

Security Legacy Opera Presto source code appearance in online sharing sites Share January 18th, 2017 Opera recently became aware that source code from our legacy browser engine, Presto, has appeared in some online code and file sharing sites. This code is the property of Opera Software and has be...

Misissued certificates

Security Misissued certificates Share October 29th, 2015 Recently, Google found a google.com pre-certificate in a CT log, without having ordered one. This lead to a series of incidents, also involving Opera and its security team. The backstory Google promptly contacted Symantec who had issued the...

Developer 32: Protecting against yourself

Security Developer 32: Protecting against yourself Share June 18th, 2015 Remember the SuperFish scandal? A third party application installed a Certificate Authority on PCs, and then hijacked all secure connections by serving browsers certificates from this local certificate authority. The SuperFi...

Unjam the logjam

Security Unjam the logjam Share June 9th, 2015 When a browser and website communicate over a secure connection, they encrypt and decrypt the data using a shared symmetric encryption key; the same key is used for encryption and decryption. In order for the browser and server to make sure they use...

Security changes in Opera 25; the poodle attacks

Security Security changes in Opera 25; the poodle attacks Share October 15th, 2014 So the last weeks have been rather hectic behind the scenes in the browser security world, when Google security group found a new way to exploit a rather well known design weakness in SSLv3 published in the paper...

Security changes in Opera 23

News Security changes in Opera 23 Share August 19th, 2014 Opera 23 has been out on the stable channel for a while, and we have just released a few silent security updates as well. The first was a regular Opera security fix, the second was to take in a security patch in advance of the regular...

Security changes in Opera 21

News Security changes in Opera 21 Share May 6th, 2014 Opera 21 for Windows and Mac is now out on the Stable channel. As with most major releases, the main focus is on the new features, which are discussed over on the Desktop Team blog. In addition, we have included a reworking of the Address fiel...

Cookies can be set for a top-level domain – Opera Security Advisories

Browsers should only allow cookies to be set for the website that created them. In some specific cases, Opera does not apply this restriction correctly, and allows a website to set a cookie for its entire top-level domain such as .com or .co.uk. A malicious site could then redirect the user to...

DOM events manipulation might be used to execute arbitrary code – Opera Security Advisories

DOM events manipulation might be used to execute arbitrary code – Opera Security Advisories OPCOM Team | January 29, 2013 Severity: High Description: Particular DOM event manipulations can cause Opera to crash. In some cases, this crash might occur in a way that allows execution of arbitrary code...

Carefully timed redirects can allow cross site scripting – Opera Security Advisories

Scripts on a page are supposed to be restricted so that they can only interact with other pages from the same domain and security context. Carefully timed redirects can cause scripts to execute in the wrong security context in Opera. This allows cross site scripting XSS...

Private data can be disclosed to other computer users, or be modified by them – Opera Security Advisories

Private data such as cache, password files, and Opera’s configuration files are supposed to be visible only to the user who owns the Opera profile. Opera does not set the profile folder permissions correctly, allowing other computer users to read the sensitive contents of profile files. In some...

Error pages can be used to guess local file paths – Opera Security Advisories

Remote web pages should not be able to detect what files a user has on their local machine. Certain error pages do not apply this restriction correctly, allowing web pages to produce an error page where a script can run. The script can then use various events to detect whether files on the user’s...

Cross domain access to object constructors can be used to facilitate cross-site scripting – Opera Security Advisories

JavaScripts are able to redefine and override the methods of native objects. They may also do this with the native objects of any document that shares the same origin. By redefining the methods of another document through the constructor property of the document’s host objects, a malicious script...

Truncated dialogs may be used to trick users – Opera Security Advisories

When an important dialog is being displayed, such as a download dialog, the entire dialog should be visible, so that the user can clearly see what the dialog’s buttons will do. In some cases, specific user interactions can cause Opera not to enforce this correctly, allowing the window to become...

Certain characters in HTML can incorrectly be ignored, which can facilitate XSS attacks – Opera Security Advisories

Sites that allow content to be provided by untrusted users, such as forums and blogging sites, typically sanitize the untrusted content to ensure that it does not contain any harmful content, such as malicious scripts. When certain characters appear at specific locations within HTML markup, they...

Element HTML content can be incorrectly returned without escaping, bypassing some HTML sanitizers – Opera Security Advisories

When sites accept HTML from untrusted users, and use that HTML as page content, they typically sanitize the untrusted HTML to ensure that it does not contain any harmful content, such as malicious scripts. In some cases, this sanitization may be performed by writing and reading the contents of DO...

Carefully timed reloads, redirects, and navigation can spoof the address field – Opera Security Advisories

The address field should always show the address of the page that is being displayed. Certain types of navigation, combined with reloads and redirects to a slowly-responding target site can cause the address field to show the target site’s address, while the attacking site is still being displaye...

Cross-domain JSON resources may be exposed as JavaScript variable data – Opera Security Advisories

JSON strings are sometimes exported by sites as a resource that cannot be read cross-domain, and may contain confidential data. The format of a JSON string ensures that it cannot be read as the contents of a variable, if it is included as a normal script. In some cases, Opera does not correctly...

Printing issue can allow data leaks to other system users, or allow them to corrupt data – Opera Security Advisories

When pages are printed by Opera, a temporary file is created, which contains the document to print. This document is not created with the correct permissions, allowing other users of the system to read its contents. When printed with certain popular printing frameworks, an additional temporary fi...

Carefully timed reloads and redirects can spoof the address field – Opera Security Advisories

The address field should always show the address of the page that is being displayed. In certain cases, if a target site responds slowly, reloading an attacking page and redirecting to the target page can cause the address field to show the target site’s address, while the attacking site is still...

Overlapping content can trick users into executing downloads – Opera Security Advisories

Dialogs such as the download dialog are usually displayed on top of page content, to ensure that the user knows that the dialog is requesting attention. In some cases, this policy was not implemented correctly in Opera, allowing certain page content to overlay the dialog. In these cases, clicking...

Issue with error pages can cause a system crash – Opera Security Advisories

When attempting to resolve a URL which cannot be interpreted as a legal URL, Opera will create an error page to display to the user when they load it. If enough invalid URLs can be created, Opera can use up all available disk space with these error pages, causing the browser or operating system t...

Frameset issue allows execution of arbitrary code – Opera Security Advisories

Framesets allow web pages to hold other pages inside them. Certain frameset constructs are not handled correctly when the page is unloaded, causing a memory corruption. To inject code, additional techniques will have to be employed...

Email passwords are not immediately deleted when deleting private data – Opera Security Advisories

Email passwords are not immediately deleted when deleting private data – Opera Security Advisories OPCOM Team | January 26, 2011 Severity Moderate Description When using “Delete Private Data” and selecting the option to “Clear all email account passwords”, the passwords were not deleted...

Clickjacking attacks may be carried out against internal opera: URLs – Opera Security Advisories

Clickjacking attacks may be carried out against internal opera: URLs – Opera Security Advisories OPCOM Team | January 25, 2011 Severity High Description Internal opera: URLs which may be used to modify the Opera configuration have some intentional restrictions that are designed to mitigate possib...

Large form inputs can allow execution of arbitrary code – Opera Security Advisories

Large form inputs can allow execution of arbitrary code – Opera Security Advisories OPCOM Team | January 25, 2011 Severity Critical Description When certain large form inputs appear on a web page, they can cause Opera to crash. In some cases, the crash can lead to memory corruption, which could b...

Opera may be used as a vector for multiple font issues in the underlying operating system – Opera Security Advisories

Opera may be used as a vector for multiple font issues in the underlying operating system – Opera Security Advisories OPCOM Team | December 17, 2010 Affected versions This vulnerability may be targeted through Opera for Windows. Severity Critical Description A flaw in the font handling on the...

JavaScript might run in the wrong context if loaded from error page – Opera Security Advisories

JavaScript might run in the wrong context if loaded from error page – Opera Security Advisories OPCOM Team | October 11, 2010 Severity Moderate Description If Opera is sent to an invalid URL, an error page will be displayed along with a link to the URL. The URL linked to might run scripts, and in...

Heap buffer overflow in HTML5 canvas can be used to execute arbitrary code – Opera Security Advisories

Heap buffer overflow in HTML5 canvas can be used to execute arbitrary code – Opera Security Advisories OPCOM Team | August 12, 2010 Severity High Description Performing some painting operations on a canvas while certain transformations are being applied in Opera may result in heap buffer overflow...

Unrestricted File I/O can be used by Widgets to execute arbitrary code – Opera Security Advisories

Unrestricted File I/O can be used by Widgets to execute arbitrary code – Opera Security Advisories OPCOM Team | June 29, 2010 Severity Highly severe Description Widgets may use File I/O to create, read, modify, or delete files, with the user’s permission. When using this functionality, Opera shou...

File inputs can disclose the path to selected files – Opera Security Advisories

File inputs can disclose the path to selected files – Opera Security Advisories OPCOM Team | June 29, 2010 Severity Less severe Description When a file is selected in a file upload input, the path to that file is not exposed through the input’s value property. This is done to protect any sensitiv...

Double-clicking a link can unexpectedly run a program from the Internet – Opera Security Advisories

Double-clicking a link can unexpectedly run a program from the Internet – Opera Security Advisories OPCOM Team | June 29, 2010 Severity Moderately severe Description When a user clicks a link on a Web page that points to an executable file, Opera will show a download dialog to allow the user to...

Widget properties exposed to third party domains – Opera Security Advisories

Widget properties exposed to third party domains – Opera Security Advisories OPCOM Team | June 29, 2010 Severity Moderately severe Description In some cases, widget properties could be exposed to third party domains, leading to the possibility of leak of widget information, or configuration optio...

Cross-domain data theft with CSS load – Opera Security Advisories

Cross-domain data theft with CSS load – Opera Security Advisories OPCOM Team | January 11, 2010 Summary CSS can be loaded cross-domain, and in some cases it is be possible to read the data pointed to, leading to the possibility of cross-domain data theft. Severity Moderate Opera’s response Opera...

Random number generator and input name linebreaks can be used to send custom data to other sites – Opera Security Advisories

Random number generator and input name linebreaks can be used to send custom data to other sites – Opera Security Advisories OPCOM Team | June 10, 2009 Severity Moderately severe Problem description Input names can contain line breaks when data is sent using POST. Suitable use of the random numbe...

Resized canvas patterns can cause Opera to execute arbitrary code – Opera Security Advisories

Resized canvas patterns can cause Opera to execute arbitrary code – Opera Security Advisories OPCOM Team | December 16, 2008 Severity Moderately Severe Problem Description HTML CANVAS elements can use scaled images as patterns. With suitable scaling manipulation of the image, a script can cause...

Newsfeed prompt can cause Opera to execute arbitrary code – Opera Security Advisories

Newsfeed prompt can cause Opera to execute arbitrary code – Opera Security Advisories OPCOM Team | December 16, 2008 Severity Highly Severe Problem Description When Opera encounters a newsfeed source on a Web page, it prompts to add the source as a newsfeed. A script can manipulate the feed sourc...

Representation of DOM attribute values could allow cross-site scripting – Opera Security Advisories

Representation of DOM attribute values could allow cross-site scripting – Opera Security Advisories OPCOM Team | December 16, 2008 Severity Moderately Severe Problem Description When XML is imported into a document, its attribute values are not correctly presented to the DOM. This can allow their...

Custom shortcuts can pass the wrong parameters to applications – Opera Security Advisories

Custom shortcuts can pass the wrong parameters to applications – Opera Security Advisories OPCOM Team | December 16, 2008 Severity Moderately Severe Problem Description Custom shortcut and menu commands can be used to activate external applications. In some cases, the parameters passed to these...

Sites can change framed content on other sites – Opera Security Advisories

Sites can change framed content on other sites – Opera Security Advisories OPCOM Team | December 16, 2008 Severity Highly Severe Problem Description Scripts are able to change the addresses of framed pages that come from the same site. Due to a flaw in the way that Opera checks what frames can be...

canvas functions can reveal data from random places in memory – Opera Security Advisories

canvas functions can reveal data from random places in memory – Opera Security Advisories OPCOM Team | December 16, 2008 Severity Moderately severe Problem description There is a flaw in the way that certain canvas functions are handled, that can cause the canvas to be painted with very small...

Registering Opera as a protocol handler can allow it to be used to execute arbitrary code – Opera Security Advisories

Registering Opera as a protocol handler can allow it to be used to execute arbitrary code – Opera Security Advisories OPCOM Team | December 16, 2008 Severity Extremely Severe Problem Description When an application attempts to access a URL that uses a protocol that it does not understand, it may...

Opera security upgrade for Linux, Solaris and FreeBSD – Opera Security Advisories

Opera security upgrade for Linux, Solaris and FreeBSD – Opera Security Advisories OPCOM Team | December 16, 2008 Summary Opera 9.20 has a highly recommended security upgrade for users of the Adobe Flash Player on Linux, Solaris and FreeBSD Severity Highly critical Problem description A security...

A JPEG image with a malformed header can crash Opera – Opera Security Advisories

A JPEG image with a malformed header can crash Opera – Opera Security Advisories OPCOM Team | December 16, 2008 Summary A JPEG image with a malformed header can crash Opera, and causearbitrary code to be run. Severity Moderate Problem description A specially crafted DHT marker in the JPEG file...

Feed preview can reveal contents of unrelated news feeds – Opera Security Advisories

Feed preview can reveal contents of unrelated news feeds – Opera Security Advisories OPCOM Team | December 16, 2008 Severity Highly Severe Platforms All desktop versions Problem Description When Opera is previewing a news feed, some scripts are not correctly blocked. These scripts are able to...

Character Encoding Inheritance in iframes Can Enable Cross-Site Scripting – Opera Security Advisories

Character Encoding Inheritance in iframes Can Enable Cross-Site Scripting – Opera Security Advisories OPCOM Team | December 16, 2008 Severity Moderate Problem description Pages displayed inside an iframe will inherit the character encodingof the parent page, unless they specify their own characte...

Malformed bitmaps can reveal old data from random places in memory – Opera Security Advisories

Malformed bitmaps can reveal old data from random places in memory – Opera Security Advisories OPCOM Team | December 16, 2008 Severity Moderately Severe Problem Description Specially malformed bitmap images can cause Opera to render the image using a palette made up from uninitialized memory. Usi...

Feed links can link to local files – Opera Security Advisories

Feed links can link to local files – Opera Security Advisories OPCOM Team | December 16, 2008 Severity Less Severe Problem Description As a security precaution, Opera does not allow Web pages to link to files on the user’s local disk. However, a flaw exists that allows Web pages to link to feed...