Opera Patches URL-Spoofing Flaw

Share it on Twitter  
Share it on Facebook  
Share it on Google+
Share it on Linked in  
Alternative Web browser firm Opera Software has rushed out a fix for a security vulnerability that could allow an attacker to fool the Opera browser into showing a fake address in its address bar.

The flaw, which was discovered by Israel-based security consultants GreyMagic, could lead to ''phishing'' attacks where URLs are spoofed to trick Web surfers into giving up sensitive information like credit card numbers, bank account information, Social Security numbers and passwords.

According to an advisory from GreyMagic, the Opera browser's ''Shortcut Icon'' feature could be manipulated to fool users into believing that they are in a domain they trust (their bank, web-mail, etc) while serving and receiving content in a hostile domain.

''This can be done by creating an icon that contains the text of the desired site, which would be similar in appearance to the way Opera shows addresses in the address bar... This alone, however, is not enough, as it will cause the real address to appear to the right of the fake address,'' the company said.

''Unfortunately, this too can be circumvented by tricking Opera into showing the right-hand side of the attacking URL, while filling that side with spaces. The result is a very convincing fake address appearing in the address bar.''

The flaw affects Opera versions 7.50 and prior. The Norway-based browser firm has released Opera 7.51 that addresses the issue.

It is not the first time a URL-spoofing flaw has turned up in a popular Web browser. Earlier this year, Microsoft's released a fix for a similar bug in its flagship Internet Explorer (IE) browser with a warning that Web addresses could be manipulated to trick surfers.

The ''phishing'' technique has been largely successful for attackers, according to research statistics released by MessageLabs. The company said e-mail ''phishing'' scams jumped by about 1,200 percent in the past six months.

This article was first published on internetnews.com. To read the full article, click here.

Submit a Comment

Loading Comments...