Advisory: Hidden keyboard navigation can allow cross site scripting or code execution
UPDATE Link: http://www.opera.com/fr/security/advisory/1021
Announced: June 12, 2012
Reporter: Security researcher Jordi Chancel
Fixed in: Opera 12 and Opera 11.65
When a user is interacting with a window, that window should be visible to the user, to ensure that the user realizes it is there. If a page is displayed in a small enough window, the user may not realize it is being displayed, and if the right keyboard sequence is carefully followed, they can end up performing undesirable actions on that page. Similar attacks could also be used against Opera’s preferences to change preferences or select executables to be run by Opera. Additional social engineering steps are needed to ensure that the user presses the correct key sequence, without being able to show any relevant visual feedback, as the page cannot see that the keys are being pressed.
Opera Software has released Opera 12 and Opera 11.65, where this issue has been fixed. Web authors are encouraged to use the x-frame-options header, and similar clickjacking protections to ensure that their pages cannot be targeted by keyboard variations of clickjacking attacks.
Thanks to Jordi Chancel for reporting this issue to Opera Software.
- Vidéo de démonstration :
-Security Researcher Jordi Chancel