XSS to RCE in the Opera Browser ($8000 USD)
Root cause here is an XSS in the “My Flow” feature resulting in client-side code execution.
My Flow is a shared space between your computer and phone to share links, images, videos with yourself, and uses a built-in browser extension. The problem code was in the drag-and-drop event handling. When a user drops an image onto the page, a new element is created with the innerHTML
attribute set to what is expected to be the source URL of the image file. However it is possible to control the data of the dataTransfer
event so HTML could be included instead of the expected image. Enabling XSS on the Opera page.
In looking to gain higher privileges the author looked at what functionality was available on this extensions page, turns out it had access to opr.operaTouchPrivate
which is a collection of functions to be used by the My Flow applicataion, including SEND_FILE
and OPEN_FILE
functions which can be used to first write a file such as a bat
and then open it leading to command execution.