(Original Advisory is Available) Opera Browser Shortcut Icon May Cover URL Addresses
SecurityTracker Alert ID: 1010376|
SecurityTracker URL: http://securitytracker.com/id/1010376
(Links to External Site)
Date: Jun 3 2004
Modification of system information|
Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes |
Version(s): 7.50 and prior versions|
A vulnerability was reported in the Opera browser. A remote user can spoof various status bars using a shortcut icon.|
The vendor reported that a remote user can create a specially crafted shortcut icon file of an unusually wide size to cover the URL in the address line. The URLs in the address bar, page bar, and page/window cycler are affected.
The vendor credits GreyMagic with discovering this flaw.
GreyMagic indicates that a remote user can create an image that looks like an address in Opera's address bar and can include the shortcut icon with the following HTML:
<link rel="shortcut icon" href="linkToFakeAddress.gif"> A demonstration exploit example is available at:
The vendor was reportedly notified on May 19, 2004.
A remote user can cause the address bar to appear to display an alternate URL.|
The vendor has released a fixed version (7.51), available at:|
Vendor URL: www.opera.com/ (Links to External Site)
Input validation error|
|Underlying OS: Windows (Any)|
This archive entry is a follow-up to the message listed below.|
Source Message Contents
Subject: [Full-Disclosure] Phishing for Opera (GM#007-OP)|
GreyMagic Security Advisory GM#007-OP
By GreyMagic Software, 03 Jun 2004.
Available in HTML format at
Topic: Phishing for Opera.
Discovery date: 16 May 2004.
Opera 7.50 and prior.
Most browsers today implement a "Shortcut Icon" (favicon) feature. This
feature gives web-sites the option to add a small icon to the address bar
Opera also implements this feature. However, unlike other browsers, Opera
allows the use of icons that may be large in width.
It is possible to use this feature in Opera to fool users into believing
that they are in a domain they trust (their bank, web-mail, etc) while
serving and receiving content in a hostile domain. Thereby enabling identity
theft, credit card scams and more.
This can be done by creating an icon that contains the text of the desired
site, which would be similar in appearance to the way Opera shows addresses
in the address bar.
This alone, however, is not enough, as it will cause the real address to
appear to the right of the fake address. Unfortunately, this too can be
circumvented by tricking Opera into showing the right-hand side of the
attacking URL, while filling that side with spaces.
The result is a very convincing fake address appearing in the address bar.
Create an image that looks like an address in Opera's address bar and use
the following element to include it in a page:
<link rel="shortcut icon" href="linkToFakeAddress.gif">
A proof-of-concept demonstration of this issue is available at
GreyMagic informed Opera of the vulnerability on 19-May-2004. A new version
(7.51) was released on 03-Jun-2004 to address this problem.
The information in this advisory and any of its demonstrations is provided
"as is" without warranty of any kind.
GreyMagic Software is not liable for any direct or indirect damages caused
as a result of using the information or demonstrations provided in any part
of this advisory.
- Copyright ) 2004 GreyMagic Software.
Full-Disclosure - We believe in it.