The vulnerability here is simply that Opera’s Pinboard feature allows pinning URLs starting with
The Pinboard context is important here not so much because one might want to steal the data on a pinboard but because within Opera the Pinboards open within a higher-privileged
opera: schema. This means the tab (and any XSS inside of it) can access browser features unavailable normal websites.
The example HTTP request to add a pin to the pinboard provided by the author doesn’t show anything unique that an attacker would need to disclose or guess; not even a unique cookie so I’m actually curious how Opera is associating the requests to a particular board. This does mean that it could have been used in a wide-spread targeted attack. So despite the need to middle click, hitting enough people its bound to land on a few.
The second half of the post deals with abusing these extra features to create a reasonably impactful attack chain:
- Open a New Tab at
- Use the
opr.pinboardPrivate.getThumbnailfunction to generate a thumbnail of the newly created tab
- Send the base64 encoded version of that thumbnail to the attacker’s server