Opera browser patches My Flow remote code execution vulnerability

portswigger.net
3 min read
standard
A bug bounty hunter was able to pivot from XSS to full-blown RCE
Opera has patched a severe cross-site scripting (XSS) to remote code execution (RCE) web browser flaw.

The browser-maker runs a technical blog series on the most interesting vulnerabilities reported through its private bug bounty program.

In a post dated September 24, Opera detailed the latest discovery of a bug bounty hunter with the handle 'Renwa', a member of the private disclosure scheme.

READ MORE Opera security team discloses multiple flaws in open source web proxy, Privoxy

The researcher chose to explore what he calls one of the "cooler" features of the Chromium-based browser, known as My Flow and described as an "encrypted space shared between Opera Touch and your Opera computer browser".

The technology allows users to exchange files, links, YouTube videos, photos and personal notes, and access them at any time from…
Charlie Osborne
Read full article