Do more on the web, with a fast and secure browser!

Download Opera browser with:

  • built-in ad blocker
  • battery saver
  • free VPN
Download Opera

[Privacy bug] The creating a bookmark in a private tab with VPN causes connection non through VPN

  • When you are in incognito mode (private tab in Opera) and use Opera "VPN" if you add a bookmark it causes connection non through VPN to this site for the image preview.

    It can be easy detected by DNS leaking. (You need only DNSQuerySniffer)

    1. Run DNSQuerySniffer (as Administrator)
    2. Opera a private tab
    3. Open any site
    4. Bookmark the tab
    5. See that the site domain was resolved non through VPN so you see DNS resolve in DNSQuerySniffer.

    It's a bug. PRIVACY BUG.

    (Just for SEO: security bug)

  • Sad to say, but it is not a new bug. Opera 58 has it too.

  • The related topics:
    [1]
    Bookmarking a new site (which you din’t visit in non-incognito mode before), bookmarks will not have a favorite icon.

    [2]
    The creepy bookmark warning when you create a bookmarks and have at least one incognito tab.
    Better change the text what creating a bookmark in incognito mode will cause the privacy leak.

  • It can be easy detected by DNS leaking. (You need only DNSQuerySniffer)
    ....

    The additional:
    The private tab is with enabled "VPN".
    The non-private tab (window) is without enabled "VPN".

    So, the problem is obvious – сreating of a bookmark happens in common window even you add it in an incognito tab.

  • You know that search engines circumvent the VPN by default in Opera?

    Ridiculous default of course, that goes for much more in Opera.
    [The most serious thing is that Opera starts by default as a scheduled task to check for updates.
    In practice, this means that every time Windows Opera starts up, it always checks automatically for updates.
    How you dare to call yourself a privacy browser remains a mystery to me.
    By the way, Brave and I think Chrome (you can find it anywhere in Windows where you don't want it anyway) as well.
    Actually it's a pity Opera doesn't have these things in order, in itself it's a pretty nice browser.]

  • You know that search engines circumvent the VPN by default in Opera?

    I don't think that is a problem.

    • It can be easily found in the options (It's not a hidden option).
    • It can be disabled (It's the important part).
    • It has benefits - you get a relevant search result (for based on your IP location) and no captcha.

    The most serious thing is that Opera starts by default as a scheduled task to check for updates

    I also want an option to easily disable auto-updates, for example, future Manifest V3 can break a lot of extensions that get you better privacy (not only ads blockers).

  • Bump.

    Or Opera team think that it is an appropriate behavior?

  • Can you double-check that this is still the case now since the bookmarks manager now loads in the private window again when you open it from the private window?

  • I opened a private tab, enable "VPN", opened a site. Connection is through "VPN". There is no log in DNSQuerySniffer about the connection to the site.

    Bookmark the site:
    Screenshot.png
    The image for the bookmark are loaded non through "VPN".
    As a result the part of the connection – DNS resolve – is showed in DNSQuerySniffer log.

  • Okay. Thanks for the update. I'll test and test in Opera Developer too. Don't know if it's expected behavior or not yet though.

    In Opera Developer, I'll see if opera://flags/#opera-doh makes a difference. Since the query goes over HTTPS, maybe it'll go through the VPN then. Maybe it won't though still if it's an issue with private window/normal window context where the VPN isn't on in the normal window.

    I assume everything works fine if VPN is on by default and then you open a private window?

  • @burnout426
    This happens then "VPN" enabled only in a private tab. Obviously, because the process of creating of a bookmark is going in common window that is wrong.

    DNS over HTTPS is not a decision. Absolutely.

    DNS resolve is just a part of connection to the site, the next step is HTTP/HTTPS connection that also in this case does not go through "VPN". In this case IP of the site and a content (in case HTTP) are visible for ISP.

  • DNS over HTTPS is not a decision. Absolutely.

    Here is it.

    site conenction.png
    HTTP (TCP) connection is visible too. It is unacceptable for any good VPN.

    (I have used Wireshark.)

  • A bit more presentable screenshot (domain of images for the previews is the same as domain of the site):
    v2 site.png
    This site is on HTTP so I (and ISP) can see the all content, not only IPs.

  • Thanks for all the details. Opera has confirmed your findings and they are investigating. I'll post if there are any updates.

  • Partial fix in https://blogs.opera.com/desktop/changelog-for-65/#b3459.0, but there's a little more to do, so sit tight.

  • It does not fixed.
    65.0.3467.48

  • Correct. It's still being worked on.

Log in to reply