Opera Patches URL-Spoofing Flaw

Alternative Web browser firm Opera Software has rushed out a fix for a security vulnerability that could allow an attacker to fool the Opera browser into showing a fake address in its address bar.

The flaw, which was discovered by Israel-based security consultants GreyMagic, could lead to “phishing” attacks where URLs are spoofed to trick Web surfers into giving up sensitive information like credit card numbers, bank account information, Social Security numbers and passwords.

According to an advisory from GreyMagic, the Opera browser’s “Shortcut Icon” feature could be manipulated to fool users into believing that they are in a domain they trust (their bank, web-mail, etc) while serving and receiving content in a hostile domain.

“This can be done by creating an icon that contains the text of the desired site, which would be similar in appearance to the way Opera shows addresses in the address bar . . . This alone, however, is not enough, as it will cause the real address to appear to the right of the fake address,” the company said.

“Unfortunately, this too can be circumvented by tricking Opera into showing the right-hand side of the attacking URL, while filling that side with spaces. The result is a very convincing fake address appearing in the address bar.”

The flaw affects Opera versions 7.50 and prior. The Norway-based browser firm has released Opera 7.51 that addresses the issue.

It is not the first time a URL-spoofing flaw has turned up in a popular Web browser. Earlier this year, Microsoft’s released a fix for a similar bug in its flagship Internet Explorer (IE) browser with a warning that Web addresses could be manipulated to trick surfers.

The “phishing” technique has been largely successful for attackers, according to research statistics released by MessageLabs. The company said e-mail “phishing” scams jumped by about 1,200 percent in the past six months.

In September of 2003, the company’s system logged 279 different phishing e-mail attempts around the Internet. By January, the number of scams numbered 337,050.

Separately, GreyMagic warned of a Cross-Site Scripting (CSS) vulnerability in the Yahoo! Web-based e-mail service that could allow attackers to bypass the filtering engine and inject script to an e-mail. “This vulnerability could affect over 100 million Yahoo users who could have been attacked just by opening an e-mail for reading,” according
to an alert from GreyMagic.

The company said Yahoo! was notified and has since fixed the bug.

News Around the Web