Soroush Dalili - Computer Security Is My Interest! » Opera Browser Scroll Information Leakage http://soroush.secproject.com/blog Soroush Dalili's blog - بلاگ سروش دلیلی Tue, 10 Jan 2012 22:54:43 +0000 en hourly 1 Opera Browser – Scroll Information Leakage http://soroush.secproject.com/blog/2010/06/opera-browser-scroll-information-leakage/ http://soroush.secproject.com/blog/2010/06/opera-browser-scroll-information-leakage/#comments Wed, 30 Jun 2010 00:10:35 +0000 Soroush Dalili http://soroush.secproject.com/blog/?p=253 In Opera Browser, “scrollTop” and “scrollLeft” properties of a frame are accessible through the main page. This may lead to cross site information leakage.

Tested Platform: Opera <= 10.54 AND 10.60 RC (Build 3443)

Proof of Concept:

http://0me.me/demo/opera_scroll_leak/test_scroll.html

UPDATE:
Why is it really an issue?

I think it is one kind of bypassing same origin policy. All other famous browsers are secured against this method.
My point is: If you use “#” character, you can jump to a certain point of page in case having that Element’s ID.
It is shown in my proof of concept if you look at:
I used two URLs with different Element IDs to collect the user’s information from Facebook:
First, by using the following URL, I can check if the user is logged-in in facebook. It will jump to “#pass” point which is only available in case of having login form at the top of the page.
Then, as there is a SMS subscription on the Opera Browser Wall (http://www.facebook.com/Opera) when you are the fan, I can find it out by using “#sms_status_subscribe” in the following URL:
 
And that’s why…!
]]> http://soroush.secproject.com/blog/2010/06/opera-browser-scroll-information-leakage/feed/ 0