$8,000 Bug Bounty Highlight: XSS to RCE in the Opera Browser
Continuing from his previous post, Bug Bounty Hunter Renwa writes about the second vulnerability he submitted to Opera’s Private Bug Bounty Programme: a Remote Code Execution in Opera’s My Flow Feature. What follows is his write-up and experience.
One of the cooler features of the Opera Browser is My Flow, which is basically a shared space between your computer and your phone, allowing you to share links, images, and videos with yourself. To connect, you just scan a QR code, and then you can send things between devices.
Using the developer tools in Opera, I found that the My Flow interface is loaded from the domain web.flow.opera.com, which is just a normal HTML page, and which allows me to view its code and components.
Looking at the page’s source code, I found that the page communicated with a browser extension, but from my browser’s extension list in opera://extensions/, nothing appeared. After some research, I found that it is actually a hidden browser extension, which could be displayed by opening Opera using a special flag, –show-component-extension-options. After opening the browser with that flag, I found the extension called Opera Touch Background, and was able to view its source code.
const html = e.dataTransfer.getData('text/html');
const src = html.match(//);
if (src && src[1]) {
const parser = document.createElement("span");
parser.innerHTML = src[1];
}
