Via message passing, extensions let web applications get access to sensitive pr

doliere

doliere @doliere

Could anyone comment on this issue please ?

sgunhouse

sgunhouse Moderator Volunteer

If you reported it, you should have been assigned a bug report number. If you post that number, I can look it up. Otherwise, no.

doliere

doliere @sgunhouse

@sgunhouse Ok that's a pity, because I do not have a bug number.
May I post it again ?

leocg

leocg Moderator Volunteer @doliere

How did you report those extensions?

doliere

doliere @leocg

@leocg Via the bug report wizard - https://bugs.opera.com/wizard/
I would have saved the bug number, but unfortunately, I did not

leocg

leocg Moderator Volunteer @doliere

Didn't you get an email message with it?

doliere

doliere @leocg

@leocg No I did not.
I checked my mails

leocg

leocg Moderator Volunteer @doliere

And did you provide one when you made the report?

Do you remember the title or any detail of the report?

doliere

doliere @leocg

@leocg No I did not !
I do not remember the exact title of the report, but it is related to extensions that can be exploited by web pages via message passing to get access to privileged extensions API.
So maybe
"Exploiting extensions capabilities via message passing"

OR

"Extensions that let scripts in webpages post messages to the extensions in order to bypass SOP, execute arbitrary code in the context of the extension, trigger downloads, read and write extensions storage"

OR

"Via message passing, extensions let web applications get access to sensitive privileged capabilities"

leocg

leocg Moderator Volunteer @doliere

So that's why you didn't get a confirmation message with the bug id.

doliere

doliere @leocg

@leocg Ok I see
What to do now ?

leocg

leocg Moderator Volunteer @doliere

Nothing. By the way, it seems that the extension you mentioned in the first post was removed.

doliere

doliere @leocg

@leocg Yes it has been removed. But I have some more to report, can I do it here ?

leocg

leocg Moderator Volunteer @doliere

You can post here in the forums for reference but it would be better to use https://security.opera.com/report-security-issue/

Choose web service or website and mention addons.opera.com

doliere

doliere @leocg

@leocg Ok thanks. I found that most of the extensions I reported have been removed. But I reported some other 4 that are still on the Opera addons page. Thanks for your highly useful help

doliere

doliere @leocg

@leocg Do you think that Opera should do something, during extensions review process, in order to remove extensions that can be exploited via message passing ?

tnowak

tnowak Opera @doliere

@doliere Currently the best way to report problems with extensions is through their respective pages.
There's a "Reported issues" button on each.

For general issues and ideas please use https://security.opera.com/report-security-issue/ --> "Web Service or website" --> "addons.opera.com".

Thanks for reporting these!

doliere

doliere @tnowak

@tnowak This issue has been addressed ! I note your comment for future reports