[Opera Security Advisory DNA-19280] Address bar spoofing with Data URIs


Advisory: Address bar spoofing with Data URIs


UPDATE Link: http://www.opera.com/blogs/security/2014/05/security-changes-opera-21/


Announced: May 6, 2014
Reporter: Security researcher Jordi Chancel
Impact: Low
Products: Opera
Fixed in: Opera 21


Description

When a user chooses to open a link in a new tab, this should still display the address as normal. However, with Data URIs, Opera would accidentally right-align the address field, showing the wrong end of the address. Again, this could allow a specially crafted URL to show what appeared to be a domain name, but which was actually path data. As with the previous bug, it would be missing the domain highlight, but may be enough to fool some users.

Opera’s Response

Opera Software has released Opera 21, where this issue has been fixed.


Credits

Reported by Jordi Chancel.


  • Vidéo de démonstration :


-Security Researcher Jordi Chancel

Comments are closed.