Hi Opera users,

Recently, an independent security researcher responsibly disclosed a vulnerability in Opera’s Pinboards feature, which helped our team to quickly work on a fix. The vulnerability affected Pinboards that users set as public (which means they are visible to anyone who has that particular Pinboard’s URL), and could enable a bad actor to, effectively, “subscribe” to posts that a user would make on their public Pinboard. Private pinboards that were not shared publicly were not affected by the vulnerability.

Upon investigating the researcher’s findings, we took immediate action, and a fix has already been deployed. The threat level is considered low – as a public Pinboard is meant to be viewed by anyone, it is unlikely that users would post or share sensitive information on it, which makes this vulnerability less of an immediate risk. It’s still not expected or desired behavior, which necessitated a quick fix.

In this post, we want to share some more details about the vulnerability and the steps we took to address it, as well as set users’ minds at ease by explaining what the vulnerability does and does not affect.

Vulnerability analysis

Pinboards use an “anyone with the link” access model for boards that users want to share with others. To create, share, or view a Pinboard, users do not need to make an account or share any other personal information. When a user explicitly chooses to share a Pinboard, the system generates a unique identifier (a UUID) in the URL – making it, for all intents and purposes, a live web page. This design allows people that receive the link to view the Pinboard seamlessly.

The vulnerability involved a flaw within our real-time messaging system. The system was accidentally configured to accept wildcards (board/#). This meant that an unauthenticated user could technically subscribe to the real-time message feed and passively harvest the unique URLs of boards at the exact moment they were being actively used or updated.

Low threat level

While the vulnerability certainly needed addressing, it’s important to clarify that it only affected Pinboards that were shared by users as Public. Private Pinboards were completely unaffected. As we mentioned, Pinboards are, by design, kept separate from both the Opera account and browser information such as history, bookmarks, and other relevant data.

So, to recap:

• This issue did not expose private boards. The mechanism could only capture the URLs of boards where users had already explicitly toggled on the “Share” option.
• We have thoroughly reviewed our logs and system traffic. We have found absolutely no evidence that this vulnerability was ever exploited by a malicious actor to harvest data.

Response and next steps

As soon as the researcher, known as ty5ona, responsibly flagged this issue, our engineering team immediately modified our system policies. We removed the wildcard access, ensuring that users can only subscribe to pinboards with an exact link. No action is required on your part. The fix was implemented entirely server-side, and all real-time traffic is now properly restricted.

We want to extend our sincere thanks to ty5ona who discovered and responsibly reported this flaw. Their work allowed us to quickly fortify our platform before any abuse could occur.

If you notice any vulnerabilities in Opera, please reach out to us – our bug bounty program is the most effective way to do that. You can also get in touch with our Security team directly. 

As always, stay safe out there!

---