Pwning Opera Unite with Inferno’s Eleven

By Vygantas Lipskas | October 29, 2009 | 8 Comments

Pwning Opera Unite with Inferno's ElevenGuys from SecureThoughts.com decided to do a research on Opera Unite security and share some insights.

1. Enumerating Service Owner Usernames
Use: site:operaunite.com search query in search engine to build a list.

2. Enumerating Computer names for a particular Service Owner
“If you visit the service homepage with any non-existent computer name, then Opera Unite happily discloses all computer names used by that person.”

3. Enumerating Service Owner Server IP address and Port number
As they say, Opera Unite does not mask your IP or port number. In fact, everyone can see it.
View > Source

Opera Unite Security

4. Hijacking Insecure Communication in Service Pages
One of the main issues found here was lack of https support: “These users use sensitive credentials to login to your services and need the same kind of security as the service owner. What is more shocking is that the user management system at my.opera.com does not support https.”

5. Hosting Phishing Pages and other Malware on Trusted Operaunite.com
An attacker can trick users by uploading phishing site to their unite page. As you can see from the screenshot, it looks like content is coming from operaunite.com, resulting some users to fall for this trick.

Opera Unite Security

They have found many more issues with Opera Unite, you may read about it here.

Thanks to F for send this.

[digg-reddit-me]


About (Author Profile)


Vygantas Lipskas is a former web designer whose projects are used by companies such as AMD, NVIDIA and departed Westood Studios. Being passionate about software, Vygantas began his journalism carrier back in 2007 when he founded FavBrowser.com. Having said that, he is also an adrenaline junkie who enjoys good books, fitness activities and Forex trading.

  • http://my.opera.com/rafaelluik Rafael

    Interesting… Let’s see what is going to change after that considering that Unite is in beta…

  • ica

    “3. Enumerating Service Owner Server IP address and Port number”
    This one is fixed, I can see any IP adress nor Port number in any unite source page I’ve visited.
    “1. Enumerating Service Owner Usernames”
    “It’s not a bug, it’s a feature.”
    However, in the advanced settings you have the choice to make visible or not your services to search engines, on Opera unite web pages, inside your local network.

  • ica

    “This one is fixed, I can see any IP adress nor Port number in any unite source page I’ve visited.”
    I CAN’T see, of course, sorry.

  • WellDuh

    FYI:

    “This is really old, and the list has just fixed issues, or non-issues that are present in any webserver.”

    Why is FavBrowser posting oooold and outdated stuff? A quick search would show that this is a couple of months old!

  • nobody

    and all opera had to say at that point was ‘trust us, we know what we are doing’.. bollocks

    it is a bit old, some of this stuff had been fixed awhile ago, but basic information is simple – opera HAS problems creating secure webservices.

    first sign of trouble was, when theyve announced that login will not use https.. in 2009!

    all that say that this is BETA – Opera CEO claimed unite was secure back then in september and august! he dissmised all security concerns with ‘trust us’. well, he lied or wasnt aware what he is talking about. opera unite in that time WASNT secure at all, and probably isnt secure now. it takes time, skill and attitude to admit to failure. opera has skill, but neither of following two..

    • Washout

      Give me a break. You are an idiot. This list is 2 months old, and either only affected the pre-alpha demo/concept version, or are non-issues that are true for ANY web server.

      Unite as a concept is secure. That doesn’t mean that there can’t be any security holes. Security holes can appear in any application.

      Your irrational hatred of Opera is really making you blind to the fact that your irrational bashing of Opera in this case means that you have to irrationally bash anyone who creates a web server!

      LOL, Unite doesn’t mask your IP address?! If THAT is a security issue, then THE WHOLE INTERNET IS A SECURITY ISSUE!

      You are and will always be a moron.

      • nobody

        it still stands – opera’ ceo claimed that opera unit is secure, and that they know what are they doing. obviously he was: a) lying b) not aware how secure unite realy is c) mixture of both.

        opera at the time when opera’ ceo was interviewed and was responding to security concerns WASNT secure at all.

        and it isnt true that any webapplication has the same issues – i cannot see ip’s of other users that use the same online bank. do i care if my ip is visible? no. should opera disclose it in plain text? no.

        is there anything else you are to stupid to understand?

  • tomass

    well, absence of HTTPS is the only real problem in my opinion. the rest is either fixed, either user can turn it off. and as for phishing possibilities with Unite: it is a risk every hosting service has to cope with, I don’t know why it is a problem for Unite only.
    There are more important hypothetical security risks (like gaining read acces to shared folders) and the article didn’t discover any of them… so in these terms the CEO has the right to call it secure.

«
»