Opera Browser for Android

Research Opera Browser for Android Share May 21st, 2021 In this episode of theOpera Bug Bounty series, we introduce Opera for Android, our main product for the Android platform. What is Opera for Android Opera for Android is a Chromium-based browser that prides itself on a user-friendly and good...

Fuzzing HTTP Proxies: Privoxy, Part 1

Research Fuzzing HTTP Proxies: Privoxy, Part 1 Share May 17th, 2021 Here at Opera, we’re always looking for ways to improve the browsing experience of our users with speed and usability. Perhaps more importantly though, we also look for ways to improve users’ privacy and security. While we...

Earn up to $10K from the Opera Bug Bounty program

Security Earn up to $10K from the Opera Bug Bounty program Share April 30th, 2021 Join the Opera Bug Bounty program, find vulnerabilities in scope, tell us how you did it, and collect rewards. We pay up to $10K for confirmed high-value submissions. Opera has two bug bounty programs operated by...

Update your browser regularly

Security Update your browser regularly Share February 12th, 2021 Mallory tries to hack an OS in order to spy on Alice. TL;DR: skip to the conclusions to see what Alice learned. Update your browser regularly Every once in a while you’re asked to update the software on your computer, or just told...

Making browsing safe from phishing

Privacy, Security Making browsing safe from phishing Share January 7th, 2021 Mallory tries to create a phishing site to lure Alice into revealing her secrets. TL;DR: skip to the conclusions to see what Alice learned. The Privacy Problem In the previous episode, Mallory was thinking about...

Cross-site Scripting in OfA – Opera Security Advisories

URLs using “javascript:” have the protocol removed when pasted into the address bar to protect users from cross-site scripting XSS attacks, but in certain circumstances this removal was not performed. This could allow users to be socially engineered to run an XSS attack against themselves. This...

Can a browser extension be cursed?

Privacy Can a browser extension be cursed? Share December 4th, 2020 Mallory tries to create a browser extension that will let him spy on Alice. TL;DR: skip to the conclusions to see what Alice learned. The Privacy Problem Mallory was quite tired of his failed attempts to melt Alice’s heart. She...

Address bar spoofing in Opera Mini for Android – Opera Security Advisories

Opera Mini for Android before version 52.2 is vulnerable to an address bar spoofing attack. The vulnerability allows a malicious page to trick the browser into showing an address of a different page. This may allow the malicious page to impersonate another page and trick a user into providing...

What is the TLS padlock saying?

Security What is the TLS padlock saying? Share November 20th, 2020 Alice and Bob use TLS to keep their long distance relationship hot and private. TL;DR: skip to the conclusions to see what Alice learned. The Privacy Problem Alice and Bob had to turn their relationship into a long distance one...

Address bar spoofing in Opera Touch for iOS – Opera Security Advisories

Opera Touch for iOS before version 2.4.5 is vulnerable to an address bar spoofing attack. The vulnerability allows a malicious page to trick the browser into showing an address of a different page. This may allow the malicious page to impersonate another page and trick a user into providing...

To VPN or not to VPN?

Security To VPN or not to VPN? Share October 29th, 2020 Alice and Bob use VPN to fight Mallory, an inquisitive sysadmin. TL;DR: skip to the conclusions to see what Alice learned. The Privacy Problem Alice and Bob recently met Mallory, who works at the cable company providing internet access to th...

Opera Receives DevSecOps All-Star Award at SnykCon 2020

News Opera Receives DevSecOps All-Star Award at SnykCon 2020 Share October 28th, 2020 AtSnykCon 2020, Opera received the DevSecOps All-Star Award for leveraging Snyk to bring a complete and fully automated DevSecOps process into a secure software development lifecycle. Opera was represented by...

How private is a private window?

Privacy How private is a private window? Share October 15th, 2020 Alice and Bob find themselves in a shared living-space, where long-held secrets are at risk of being revealed. TL;DR: skip to the conclusions to see what Alice learned. The Privacy Problem Alice and Bob recently decided to take the...

Opera becomes part of the CNA program

News Opera becomes part of the CNA program Share December 13th, 2019 Usually, Friday the 13th is considered to be an unlucky day. However, this is not the case for Opera, as we have great news, especially for security researchers and all security-minded Opera fans. We are proud to announce that...

Bypass a restriction in OfA 54 – Opera Security Advisories

Opera for Android before 54.0.2669.49432 is vulnerable to a sandboxed cross-origin iframe bypass attack. By using a service working inside a sandboxed iframe it is possible to bypass the normal sandboxing attributes. This allows an attacker to make forced redirections without any user interaction...

Opera Privacy Statement Update 2019

Privacy Opera Privacy Statement Update 2019 Share February 7th, 2019 This is an outdated article. Please read Opera Privacy Statement Update 2022 instead. We have recently updated our end-user license agreements and our terms of service have been updated as well. We are also about to update our...

Bug bounty open for Opera Android apps!

News Bug bounty open for Opera Android apps! Share November 20th, 2018 We are happy to announce that our applications are now covered by the Google Play Security Reward Program. Researchers are invited to help us improve the security of our chosen products in return for fame and up to $5,000!...

Flow is seamless and secure – security features explained

Security Flow is seamless and secure – security features explained Share August 28th, 2018 Some of you may already be familiar with Flow, the new feature that allows you to quickly and seamlessly share images, links and videos between your Opera browser for computers and your Opera Touch mobile...

Opera asks for my keychain password on macOS – what do I do? Opera 53 has a new signing certificate

Security Opera asks for my keychain password on macOS – what do I do? Opera 53 has a new signing certificate Share May 30th, 2018 Hello, We would like to let you know that we have updated our software signing certificate from Opera Software ASA to Opera Software AS. This is why your macOS is aski...

Thanks to the researchers 2018

News Thanks to the researchers 2018 Share February 13th, 2018 Every year, researchers offer us their assistance to help enhance the security of our websites. We would like to thank those who discovered and reported security issues in 2018. EDIT: The list of researchers was moved to our new site,t...

Opera mitigates critical CPU vulnerabilities

Security Opera mitigates critical CPU vulnerabilities Share January 4th, 2018 There is a lot of uncertainty right now about the impact of the hardware security issue named Meltdown. There will be a scheduled release of Opera which will contain a first set of workarounds as soon as the browser is...

Upcoming update with IDN homograph phishing fix

Security Upcoming update with IDN homograph phishing fix Share April 21st, 2017 Domains are an integral part of the internet. Similar to how people write different languages using different characters or scripts, domain names can be composed of various scripts in whole or in part, and are called...

DLL hijacking and the Opera browser

Security DLL hijacking and the Opera browser Share March 10th, 2017 Recently, a collection of documents was released online, which was claimed to have originated with a major World power. The documents listed hacking vectors that could be used to inject code into major operating systems and...

Thanks to the researchers 2017

Research Thanks to the researchers 2017 Share March 3rd, 2017 We would like to thank the researchers who have offered us their assistance throughout the year, to help enhance the security of our websites. Special mention goes to those who discover and report security issues: Johnny Nipper Mehmet...

Opera installer mistakenly marked as malicious

Security Opera installer mistakenly marked as malicious Share February 22nd, 2017 During the past few days some of our users have contacted us raising the concern that the Qihoo 360 Total Security anti-virus software has been labelling the Opera installer executable for Windows as some form of...

Legacy Opera Presto source code appearance in online sharing sites

Security Legacy Opera Presto source code appearance in online sharing sites Share January 18th, 2017 Opera recently became aware that source code from our legacy browser engine, Presto, has appeared in some online code and file sharing sites. This code is the property of Opera Software and has be...

Opera server breach incident

News Opera server breach incident Share August 26th, 2016 Earlier this week, we detected signs of an attack where access was gained to the Opera sync system. This attack was quickly blocked. Our investigations are ongoing, but we believe some data, including some of our sync users’ passwords and...

Thanks to the researchers 2016

Research Thanks to the researchers 2016 Share April 19th, 2016 A number of researchers and website testers have offered their assistance throughout the year to help us tighten the security of our many websites. Thanks to all! Special mention goes to those who discover and report security issues:...

Opera 12 and Opera Mail security update

Security Opera 12 and Opera Mail security update Share February 16th, 2016 We realize that those of you on old operating systems like Windows XP SP1 and older are left without much choice beyond using our Presto-based browser. With security standards on the web changing so much we didn’t want to...

Misissued certificates

Security Misissued certificates Share October 29th, 2015 Recently, Google found a google.com pre-certificate in a CT log, without having ordered one. This lead to a series of incidents, also involving Opera and its security team. The backstory Google promptly contacted Symantec who had issued the...

Developer 32: Protecting against yourself

Security Developer 32: Protecting against yourself Share June 18th, 2015 Remember the SuperFish scandal? A third party application installed a Certificate Authority on PCs, and then hijacked all secure connections by serving browsers certificates from this local certificate authority. The SuperFi...

Unjam the logjam

Security Unjam the logjam Share June 9th, 2015 When a browser and website communicate over a secure connection, they encrypt and decrypt the data using a shared symmetric encryption key; the same key is used for encryption and decryption. In order for the browser and server to make sure they use...

Dealing with FREAK and SuperFish

Security Dealing with FREAK and SuperFish Share March 10th, 2015 The FREAK TLS attack Following the trend of memorable names for TLS attacks, FREAK was recently announced. This exploits a bug in some TLS libraries, combined with the support of ancient weak ciphers, to enable a MitM to force...

Optimizing encrypted video

Security Optimizing encrypted video Share February 25th, 2015 You might have seen our press release that Opera’s Rocket Optimizer can now optimize encrypted video streams. The attentive reader will already have halted and said, “wait, what?”. In this blog post, we’ll explain how this works. Rocke...

Thanks to the researchers 2015

Research Thanks to the researchers 2015 Share January 16th, 2015 At Opera Software, we run a large number of websites for our products and services, and we like to give credit to the researchers and website testers who offer their assistance to help us tighten the security of those websites. We...

Security changes in Opera 25; the poodle attacks

Security Security changes in Opera 25; the poodle attacks Share October 15th, 2014 So the last weeks have been rather hectic behind the scenes in the browser security world, when Google security group found a new way to exploit a rather well known design weakness in SSLv3 published in the paper...

Security changes in Opera 23

News Security changes in Opera 23 Share August 19th, 2014 Opera 23 has been out on the stable channel for a while, and we have just released a few silent security updates as well. The first was a regular Opera security fix, the second was to take in a security patch in advance of the regular...

Possibly Tricking Users – The Perils of Drag n Drop Decadence

Security Possibly Tricking Users – The Perils of Drag n Drop Decadence Share May 12th, 2014 In the recent Opera 21 Stable release, we fixed a number of bugs relating to the address field. Normally, we would not want to give away too much about a security issue, as it would give a potential attack...

Security changes in Opera 21

News Security changes in Opera 21 Share May 6th, 2014 Opera 21 for Windows and Mac is now out on the Stable channel. As with most major releases, the main focus is on the new features, which are discussed over on the Desktop Team blog. In addition, we have included a reworking of the Address fiel...

Heartbleed and other heartaches

Security Heartbleed and other heartaches Share April 11th, 2014 As has been reported extensively already, OpenSSL just fixed a serious vulnerability, dubbed Heartbleed. OpenSSL is used in a variety of products used on the internet, including Opera products and servers. We want to share with you h...

Security changes in Opera 20 update

Security Security changes in Opera 20 update Share March 13th, 2014 We have just released a silent update of Opera 20, you would most likely not even have noticed. From a security perspective, we have made two interesting changes in this update. The first one regards what we call the badge, the...

Thanks to the researchers 2014

Research Thanks to the researchers 2014 Share January 31st, 2014 Each year, a number of researchers offer their assistance to help us tighten the security of our wide array of websites. We would like to take this opportunity to thank the researchers and testers of 2014 for their assistance in...

Security changes and features of Opera 19

Security Security changes and features of Opera 19 Share January 31st, 2014 Opera 19 is now been put through its paces on the Developer and Next channels, and is now out on the Stable channel. Opera 19 for Android has also recently been released. New features As with every release, each new featu...

Breach incident

News Breach incident Share December 11th, 2013 At Opera, we strive to be open, and we want to continue this tradition, by sharing with you what happens here. High profile companies like Opera are under continuous attack by hackers trying to break into their systems, and we want to tell you about ...

Certificate update

Security Certificate update Share December 9th, 2013 Last week we became aware of the existence of several unauthorized security certificates, issued in violation of rules for creation of such certificates. The certificates chained back to a French certificate authority, ANSSI, and had been signe...

Security changes and features of Opera 18

News Security changes and features of Opera 18 Share December 4th, 2013 Opera 18 is now out on the stable channel, so we wanted to take a moment to go through some of the new features from a security perspective. Media Access One of the new features is media access. That is; camera and microphone...

New home for the Security Group blog

News New home for the Security Group blog Share October 31st, 2013 Welcome to the new home of the Opera Security Group. We have changed our blogging platform. For more more information regarding the switch, please see this post. If you received this blog post in your feed reader, you do not need ...

Replaced code signing certificate

Opera Software recently experienced an attack on the internal infrastructure. Following best practices, Opera Software is replacing signing certificates in Opera with newly issued certificates. Certificates in Opera include the code signing certificate for desktop binaries and the signing...

Replaced code signing certificate – Opera Security Advisories

Opera Software recently experienced an attack on the internal infrastructure. Following best practices, Opera Software is replacing signing certificates in Opera with newly issued certificates. Certificates in Opera include the code signing certificate for desktop binaries and the signing...

Cookies can be set for a top-level domain

Browsers should only allow cookies to be set for the website that created them. In some specific cases, Opera does not apply this restriction correctly, and allows a website to set a cookie for its entire top-level domain such as .com or .co.uk. A malicious site could then redirect the user to...