Opera Automatic Webpage Redirect to Update Page that Auto-Downloaded a JavaScript file
-
fatguy1121 last edited by
I just had my browser redirect a site I was looking at to a page that looked very legitimate claiming that Opera was out of date, and automatically downloaded a javascript file. Is this normal behavior or nefarious, I have the javascript file saved in an archive and can upload it if needed. I immediately closed and re-opened opera then checked for updates where it updated to 62.0.3331.18.
-
burnout426 Volunteer last edited by
Sounds shady to me, but you can upload the script somewhere if you want. Also, what domain did the redirect take you too if you remember? Did you have 58 before Opera updated to 62?
-
fatguy1121 last edited by
Specifically this was the website I was on. http://justsomething.co/kitten-breaks-his-owners-earphone-cable-and-returns-with-snake-as-a-replacement/?fbclid=IwAR00IFQZAMtKldKhe2w5-s3_-5kiANpfp_RmvsZJHrbxVrh1ih15FWVoV-I
The update screen just popped up, it didnt change the web address, in fact history shows the website url with Opera update as the url. I was previously on 62.0.1 or something like that, it only updated a minor build
-
burnout426 Volunteer last edited by
Yeah, I wouldn't trust that link. It just told me Chrome needed to be updated when I have the latest. The update link is a data URI that represents a json file. I was going to save it to see what was in it, but I closed the tab and can't get the redirect to happen now. Might remember by ip address on this one.
Anyway, I would think that Opera updating for real on you was just a coincidence. If you're unsure though, you can uninstall Opera while choosing to keep your data, delete the program files folder for Opera if it's still there, download the Opera installer from opera.com and install.
-
fatguy1121 last edited by
Here is the JS file itself. (7zipped for security) https://drive.google.com/open?id=1ZMjHAD700AKchyiViDPD6wcaUh0kct44
Here is the text out of the JS file https://pastebin.com/rYFsdfTj
it looks like a bunch of arrays and obfuscated code. I dont know JS well enough to decipher it.
-
leocg Moderator Volunteer last edited by
@fatguy1121 For me, the fact that you were redirected from a page you were seeing to that one with the update needing message already shows that is not a good thing. Opera would never do something like that and a serious page would just have pointed a kibk to the official Opera site.
This kind of message ('Your browser needs update', 'There is a virus in your computer', 'You have to update your computer' and so on) are somewhat regular ones used to make you install malware in your system.
-
burnout426 Volunteer last edited by
@fatguy1121 said in Opera Automatic Webpage Redirect to Update Page that Auto-Downloaded a JavaScript file:
it looks like a bunch of arrays and obfuscated code
There's a string at the end passed to the anonymous function that is base64 data that represents some binary data. Didn't investigate further, but definitely shady.
-
fatguy1121 last edited by
@leocg I tried to get it to happen again from a different IP on a different computer and couldnt get it to happen, but it was the most legitimately designed page I've seen. It genuinely looked like a real update page that could have been created within the browser. If anyone else clicks it and gets it to pop up, take a screenshot.
-
A Former User last edited by
For me, this happened just now on techerator.com from this Google search result. It was a well-made page that was convincing if it were not for the suspect auto download that didn't seem right.
Note I have added "broken" to the domain so it's rendered impotent.
It wasn't until I scrolled or maybe was on the site for a few seconds. The JS file was obfuscated, starting like this:
(function(lyfwxi){var adubxo={};function egisur(){ymejig4=ygffipyv[["y","E","j","Z","D","T","G"][(-597+599)]+["o","C","a","b"][0]+"i"+"n"]("");diep......Most concerning is that Opera was obviously coerced into auto downloading a script file.
