Opera browser patches remote code execution vulnerability

guest · Sep 27, 2021

Opera browser patches My Flow remote code execution vulnerability
A bug bounty hunter was able to pivot from XSS to full-blown RCE
September 27, 2021
https://portswigger.net/daily-swig/opera-browser-patches-my-flow-remote-code-execution-vulnerability

Opera has patched a severe cross-site scripting (XSS) to remote code execution (RCE) web browser flaw.
In a post dated September 24, Opera detailed the latest discovery of a bug bounty hunter with the handle ‘Renwa’, a member of the private disclosure scheme.

The researcher chose to explore what he calls one of the “cooler” features of the Chromium-based browser, known as My Flow and described as an “encrypted space shared between Opera Touch and your Opera computer browser”.
Click to expand...

The bug bounty hunter has published a proof of concept (PoC) that demonstrates the exploit.
After examining the HTML page further, Renwa also found a hidden browser extension called Opera Touch Background.
Browser bug bounty
After reporting the bug to Opera, the issue was resolved in several days and a bug bounty of $8,000 was awarded.

This is the second vulnerability submitted by Renwa to Opera’s program. Another flaw was discovered recently in Opera Pinboards, a storage and sharing feature for bookmarks, screenshots, and notes.
Click to expand...

Rasheed187 · Oct 3, 2021

Hmmmm, this is painful stuff, so this bug isn't even related to Chromium, but was introduced by Opera itself.

Log in or Sign up

Opera browser patches remote code execution vulnerability

guest Guest

Rasheed187 Registered Member

Log in or Sign up

Opera browser patches remote code execution vulnerability

guest Guest

Rasheed187 Registered Member

Useful Searches