Opera "phishing" vulnerability in 7.51

Forum Moderators: open

Message Too Old, No Replies

Opera "phishing" vulnerability in 7.51

RammsteinNicCage

5:43 pm on Jun 28, 2004 (gmt 0)

... a remote user can create HTML that, when loaded by the target user, will set the URL in the status bar to an arbitrary URL.
The HTML includes an IFrame within a cascading style sheet definition and a zero second HTML Refresh statement containing a javascript command. The source URL of the iframe will be listed in the address bar.
This exploit can be used in "phishing" attacks.

[securitytracker.com...]

I believe this was the same thing that was happening on IE, right?

Jennifer

BlobFisk

8:00 am on Jun 29, 2004 (gmt 0)

Nice catch Jennifer! Anything from Opera themselves on this yet?

RammsteinNicCage

3:40 pm on Jun 29, 2004 (gmt 0)

I was looking through their forums and haven't seen a response from one of the Opera people and a fix hasn't been issued yet. This was apparently found around June 22nd.

Jennifer

bryholmsen

8:56 pm on Jun 30, 2004 (gmt 0)

This isn't the same as MSIE, and it's apparently rather difficult to actually exploit. To exploit it you'll have to get the victim to your site first apparently, and then use the trick. It's just a low risk vulnerability, in other words.

At least from what I can gather.