Guys from SecureThoughts.com decided to do a research on Opera Unite security and share some insights.
1. Enumerating Service Owner Usernames
Use: site:operaunite.com search query in search engine to build a list.
2. Enumerating Computer names for a particular Service Owner
“If you visit the service homepage with any non-existent computer name, then Opera Unite happily discloses all computer names used by that person.”
3. Enumerating Service Owner Server IP address and Port number
As they say, Opera Unite does not mask your IP or port number. In fact, everyone can see it.
View > Source
4. Hijacking Insecure Communication in Service Pages
One of the main issues found here was lack of https support: “These users use sensitive credentials to login to your services and need the same kind of security as the service owner. What is more shocking is that the user management system at my.opera.com does not support https.”
5. Hosting Phishing Pages and other Malware on Trusted Operaunite.com
An attacker can trick users by uploading phishing site to their unite page. As you can see from the screenshot, it looks like content is coming from operaunite.com, resulting some users to fall for this trick.
They have found many more issues with Opera Unite, you may read about it here.
Thanks to F for send this.
About (Author Profile)
Vygantas is a former web designer whose projects are used by companies such as AMD, NVIDIA and departed Westood Studios. Being passionate about software, Vygantas began his journalism career back in 2007 when he founded FavBrowser.com. Having said that, he is also an adrenaline junkie who enjoys good books, fitness activities and Forex trading.