XSS to RCE in the Opera Browser ($8000 USD)

We discussed this vulnerability during Episode 87 on 04 October 2021

Root cause here is an XSS in the “My Flow” feature resulting in client-side code execution.

My Flow is a shared space between your computer and phone to share links, images, videos with yourself, and uses a built-in browser extension. The problem code was in the drag-and-drop event handling. When a user drops an image onto the page, a new element is created with the innerHTML attribute set to what is expected to be the source URL of the image file. However it is possible to control the data of the dataTransfer event so HTML could be included instead of the expected image. Enabling XSS on the Opera page.

In looking to gain higher privileges the author looked at what functionality was available on this extensions page, turns out it had access to opr.operaTouchPrivate which is a collection of functions to be used by the My Flow applicataion, including SEND_FILE and OPEN_FILE functions which can be used to first write a file such as a bat and then open it leading to command execution.