Via message passing, extensions let web applications get access to sensitive pr

A Former User

A Former User @sgunhouse last edited by

@sgunhouse Ok that's a pity, because I do not have a bug number.
May I post it again ?

leocg

leocg Moderator Volunteer @Guest last edited by

How did you report those extensions?

A Former User

A Former User @leocg last edited by

@leocg Via the bug report wizard - https://bugs.opera.com/wizard/
I would have saved the bug number, but unfortunately, I did not

leocg

leocg Moderator Volunteer @Guest last edited by

Didn't you get an email message with it?

A Former User

A Former User @leocg last edited by

@leocg No I did not.
I checked my mails

leocg

leocg Moderator Volunteer @Guest last edited by

And did you provide one when you made the report?

Do you remember the title or any detail of the report?

A Former User

A Former User @leocg last edited by

@leocg No I did not !
I do not remember the exact title of the report, but it is related to extensions that can be exploited by web pages via message passing to get access to privileged extensions API.
So maybe
"Exploiting extensions capabilities via message passing"

OR

"Extensions that let scripts in webpages post messages to the extensions in order to bypass SOP, execute arbitrary code in the context of the extension, trigger downloads, read and write extensions storage"

OR

"Via message passing, extensions let web applications get access to sensitive privileged capabilities"

leocg

leocg Moderator Volunteer @Guest last edited by

So that's why you didn't get a confirmation message with the bug id.

A Former User

A Former User @leocg last edited by

@leocg Ok I see
What to do now ?

leocg

leocg Moderator Volunteer @Guest last edited by

Nothing. By the way, it seems that the extension you mentioned in the first post was removed.

A Former User

A Former User @leocg last edited by

@leocg Yes it has been removed. But I have some more to report, can I do it here ?

leocg

leocg Moderator Volunteer @Guest last edited by

You can post here in the forums for reference but it would be better to use https://security.opera.com/report-security-issue/

Choose web service or website and mention addons.opera.com

A Former User

A Former User @leocg last edited by

@leocg Ok thanks. I found that most of the extensions I reported have been removed. But I reported some other 4 that are still on the Opera addons page. Thanks for your highly useful help

A Former User

A Former User @leocg last edited by

@leocg Do you think that Opera should do something, during extensions review process, in order to remove extensions that can be exploited via message passing ?

tnowak

tnowak Opera @Guest last edited by

@doliere Currently the best way to report problems with extensions is through their respective pages.
There's a "Reported issues" button on each.

For general issues and ideas please use https://security.opera.com/report-security-issue/ --> "Web Service or website" --> "addons.opera.com".

Thanks for reporting these!

A Former User

A Former User @tnowak last edited by

@tnowak This issue has been addressed ! I note your comment for future reports