U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Play the Opera Please – Opera patches a flaw in their turbo servers

Opera released a mini patch for a vulnerability in their turbo servers that dates back to 2018. Prior approval are taken from Opera security team before disclosing this issue! Before we get started there are few things which we need to understand such as, Value added service (VAS): Value added services (VAS) is a popular telecommunications […]

Opera

Opera released a mini patch for a vulnerability in their turbo servers that dates back to 2018.

Prior approval are taken from Opera security team before disclosing this issue!

Before we get started there are few things which we need to understand such as,

Value added service (VAS): Value added services (VAS) is a popular telecommunications term for non-core services, example: (Caller-tunes, Missed call alerts, Online gaming etc).

GGSN: The gateway GPRS support node (GGSN) is a main core component, GGSN is responsible for the interworking between the GPRS network and external packet, basically this is a routing device.

HTTP header enrichment (HE Process): HTTP header enrichment is the process of adding data fields in the HTTP header. This is commonly used in mobile networks by adding user and device identifiers in HTTP requests such as IMEI, IMSI, MSISDN or other data to identify subscriber or mobile device details[1].

As per my understanding during a VAS subscription process, GGSN picks up the MSISDN from HTTP header to subscribe end users, the idea is to abuse HTTP header enrichment process via Opera mini browser which could lead to fraudulent VAS activation.

Why Opera mini? Opera mini is famous for data compression (data saving mode) although it supports three types of data savings compressions modes. direct, extreme and high.

Once the request is initiated and routed by GGSN all communication happens in HTTPS, hence GGSN will not be familiar with the source MSISDN, because there is no header enrichment process, Opera turbo server establishes a secure session to perform the rest of the process during the subscription. In this case, GGSN acts as a routing device and fails to perform HE process (Because HE can only be performed on HTTP protocol but Opera mini creates an HTTPS-based session).

Post this if we navigated to https://www.inputzer.io sniff the packets via Wireshark the source IP would be our public IP and destination hits to opera turbo servers such as `global-4-lvs-hopper.opera-mini.net` rather than www.inputzero.io.

Having said that, after countless assessment on the subscription process via opera mini, I found one `ping`  request which is generated via opera mini, when its is open for the first time after clearing the cache and temp data of the browser. It was observed, that ping request is responsible for taking MSISDN and creating the session for entire flow.

Injecting MSISDN headers in this request with the victims MSISDN, the session was established by the victims number with opera turbo server and now you can impersonate the victim and subscribe for any VAS service to deduct his/her digital money. With a successful subscription using the above steps and server log it was concluded that opera turbo servers don’t validate/filter certain injected HTTP headers which lead to activation of VAS services.

Patch: Opera turbo stops forwarding such injected HTTP headers and CVE-2018-19825 was assigned to this which states “Lack of filtering of certain HTTP headers could lead to fraudulent VAS activation.”

About the Author: Security Researcher Dhiraj Mishra (@mishradhiraj)

Original Post @ https://www.inputzero.io/2021/04/play-the-opera-please.html

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, IKEA)

[adrotate banner=”5″]

[adrotate banner=”13″]