Establishing Digital Trust: Don't Sacrifice Security for Convenience
The flaw, which was discovered by Israel-based security consultants GreyMagic, could lead to ''phishing'' attacks where URLs are spoofed to trick Web surfers into giving up sensitive information like credit card numbers, bank account information, Social Security numbers and passwords.
According to an advisory from GreyMagic, the Opera browser's ''Shortcut Icon'' feature could be manipulated to fool users into believing that they are in a domain they trust (their bank, web-mail, etc) while serving and receiving content in a hostile domain.
''This can be done by creating an icon that contains the text of the desired site, which would be similar in appearance to the way Opera shows addresses in the address bar... This alone, however, is not enough, as it will cause the real address to appear to the right of the fake address,'' the company said.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i ''Unfortunately, this too can be circumvented by tricking Opera into showing the right-hand side of the attacking URL, while filling that side with spaces. The result is a very convincing fake address appearing in the address bar.''
The flaw affects Opera versions 7.50 and prior. The Norway-based browser firm has released Opera 7.51 that addresses the issue.
It is not the first time a URL-spoofing flaw has turned up in a popular Web browser. Earlier this year, Microsoft's released a fix for a similar bug in its flagship Internet Explorer (IE) browser with a warning that Web addresses could be manipulated to trick surfers.
The ''phishing'' technique has been largely successful for attackers, according to research statistics released by MessageLabs. The company said e-mail ''phishing'' scams jumped by about 1,200 percent in the past six months.