Local File Read via Stored XSS in The Opera Browser (4000 USD)

We discussed this vulnerability as part of our weekly podcast on 14 September 2021

The vulnerability here is simply that Opera’s Pinboard feature allows pinning URLs starting with javascript: creating a clickable link on a Pinboard that will execute JavaScript. Unfortunately (for the attacker) these tabs open in a new window and not within the Pinboard context unless middle clicking, then these links will trigger them within the Pinboard context.

The Pinboard context is important here not so much because one might want to steal the data on a pinboard but because within Opera the Pinboards open within a higher-privileged opera: schema. This means the tab (and any XSS inside of it) can access browser features unavailable normal websites.

The example HTTP request to add a pin to the pinboard provided by the author doesn’t show anything unique that an attacker would need to disclose or guess; not even a unique cookie so I’m actually curious how Opera is associating the requests to a particular board. This does mean that it could have been used in a wide-spread targeted attack. So despite the need to middle click, hitting enough people its bound to land on a few.

The second half of the post deals with abusing these extra features to create a reasonably impactful attack chain:

  • Open a New Tab at file:///etc/passwd
  • Use the opr.pinboardPrivate.getThumbnail function to generate a thumbnail of the newly created tab
  • Send the base64 encoded version of that thumbnail to the attacker’s server