[Opera Security Advisory DNA-18354] Address bar spoofing with downloads

Advisory: Address bar spoofing with downloads

UPDATE Link: http://www.opera.com/blogs/security/2014/05/security-changes-opera-21/

Announced: May 6, 2014
Reporter: Security researcher Jordi Chancel
Impact: Low
Products: Opera
Fixed in: Opera 21


This unrelated bug only occurred when the user dragged and dropped a URL into the address bar, which started a download. The address bar would then be right aligned, showing the wrong end of the address. This could allow a specially crafted URL to show what appeared to be a domain name, but which was actually path data. It would be missing the domain highlight, but may be enough to fool some users.
Simultaneously, it would leave the address bar in edit state, showing the download address instead of the address of the currently displayed page. Since the user may not realise that they had changed the address and put the address bar into edit state, we have now changed this to show the address of the displayed page. We’ll go into more details about this issue in a future blog post.

Opera’s Response

Opera Software has released Opera 21, where this issue has been fixed.


Reported by Jordi Chancel.