lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <001b01ca2ad0$a89e20e0$f9da62a0$@com>
Date: Mon, 31 Aug 2009 23:51:39 -0700
From: "Inferno" <inferno@...urethoughts.com>
To: <full-disclosure@...ts.grok.org.uk>
Subject: Pwning Opera Unite with Inferno's Eleven

Pwning Opera Unite with Inferno's Eleven
----------------------------------------
Complete Post at
http://securethoughts.com/2009/08/pwning-opera-unite-with-infernos-eleven/

Opera Unite, the upcoming version of the Opera browser has a strong vision
to change how we look at the web. For those who are unknown to this radical
technology, it extends your browser into a full-blown collaboration suite
where you can chat with people, leave notes, share files, play media, host
your sites, etc. (Wow!!).

Opera Unite comes bundled with a bunch of standard services such as Fridge
(Notes), The Lounge (chatroom), etc. It is important to understand that
these services have two distinct views. One view is of the Service Owner,
who installs, customizes and runs these services on his or her computer. The
service owner and the computer running these services have associated
identifiers. By default, computer name is "home". So, your administrative
homepage is http://admin.home.uid.operaunite.com/. Remember that even though
the protocol of communication looks like http, it is not. Opera relays all
traffic using a proprietary ucp protocol (encrypted) to asd.opera.com and
auth.opera.com (no protocol details except here). The other view is of the
Service Page which is used by your users (friends, customers, etc) to access
your selected content. These trusted users can access your services from any
browser (not just opera unite) and uses the plain http protocol. The service
homepage is http://home.uid.operaunite.com/.

I was fascinated by this idea, so I decided to look at the security aspects
of the product (while it was in beta). Here are my findings in no particular
priority order (tested on 10.00 Beta 3 Build 1703). 

1. Enumerating Service Owner Usernames 

2. Enumerating Computer names for a particular Service Owner 

3. Enumerating Service Owner Server IP address and Port number 

4. Hijacking Insecure Communication in Service Pages 

5. Hosting Phishing Pages and other Malware on Trusted Operaunite.com 

6. CSRF-ing a File Upload from a Trusted User 

7. CSRF-ing a Note on the Fridge 

8. CSRF-Ing anyuserid to join a chatroom 

9. XSS ing the unite-session-id cookie, works for almost all services 

10. Clickjacking any Service Page 

11. Inconsistency in Password Policy for some services

Read details at
http://securethoughts.com/2009/08/pwning-opera-unite-with-infernos-eleven/

Thanks and Regards,
Inferno
Security Researcher
SecureThoughts.com


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ