A bug bounty hunter was able to pivot from XSS to full-blown RCE
The browser-maker runs a technical blog series on the most interesting vulnerabilities reported through its private bug bounty program.
In a post dated September 24, Opera detailed the latest discovery of a bug bounty hunter with the handle ‘Renwa’, a member of the private disclosure scheme.
The researcher chose to explore what he calls one of the “cooler” features of the Chromium-based browser, known as My Flow and described as an “encrypted space shared between Opera Touch and your Opera computer browser”.
The technology allows users to exchange files, links, YouTube videos, photos and personal notes, and access them at any time from their connected mobile device or computer.
Go with the Flow
My Flow can be used by scanning a QR code within the Touch mobile Opera browser. My Flow’s interface is loaded from web.flow.opera.com, a feature that contained an XSS issue in its drag-and-drop functionality that could be used to launch an alert box.
The bug bounty hunter has published a proof of concept (PoC) that demonstrates the exploit.
After examining the HTML page further, Renwa also found a hidden browser extension called Opera Touch Background.
The extension contained “higher privileges and access to native functions”, according to Renwa, and two of these functions, designed for use with My Flow, were of particular interest.
These functions were “send file” – used to pull information on user-provided content and to upload it to My Flow – and “open file,” intended for use in opening images but able to open any file type. Together, they provided “an arbitrary file write and open” on a target machine.
Renwa was then able to create proof-of-concept code, beginning with the XSS trigger, that resulted in an RCE for My Flow users.
Browser bug bounty
After reporting the bug to Opera, the issue was resolved in several days and a bug bounty of $8,000 was awarded.
This is the second vulnerability submitted by Renwa to Opera’s program. Another flaw was discovered recently in Opera Pinboards, a storage and sharing feature for bookmarks, screenshots, and notes.
Here, the XSS bug could be triggered to allow local file read, a vulnerability that earned the researcher $4,000.