In Opera Browser, “scrollTop” and “scrollLeft” properties of a frame are accessible through the main page. This may lead to cross site information leakage.
Tested Platform: Opera <= 10.54 AND 10.60 RC (Build 3443)
Proof of Concept:
Why is it really an issue?
I think it is one kind of bypassing same origin policy. All other famous browsers are secured against this method.
My point is: If you use “#” character, you can jump to a certain point of page in case having that Element’s ID.
It is shown in my proof of concept if you look at:
I used two URLs with different Element IDs to collect the user’s information from Facebook:
First, by using the following URL, I can check if the user is logged-in in facebook. It will jump to “#pass” point which is only available in case of having login form at the top of the page.
Then, as there is a SMS subscription on the Opera Browser Wall (http://www.facebook.com/Opera) when you are the fan, I can find it out by using “#sms_status_subscribe” in the following URL:
And that’s why…!