Pwning Opera Unite with Inferno's Eleven
----------------------------------------
Complete Post at
http://securethoughts.com/2009/08/pwning-opera-unite-with-infernos-eleven/

Opera Unite, the upcoming version of the Opera browser has a strong vision
to change how we look at the web. For those who are unknown to this radical
technology, it extends your browser into a full-blown collaboration suite
where you can chat with people, leave notes, share files, play media, host
your sites, etc. (Wow!!).

Opera Unite comes bundled with a bunch of standard services such as Fridge
(Notes), The Lounge (chatroom), etc. It is important to understand that
these services have two distinct views. One view is of the Service Owner,
who installs, customizes and runs these services on his or her computer. The
service owner and the computer running these services have associated
identifiers. By default, computer name is "home". So, your administrative
homepage is http://admin.home.uid.operaunite.com/. Remember that even though
the protocol of communication looks like http, it is not. Opera relays all
traffic using a proprietary ucp protocol (encrypted) to asd.opera.com and
auth.opera.com (no protocol details except here). The other view is of the
Service Page which is used by your users (friends, customers, etc) to access
your selected content. These trusted users can access your services from any
browser (not just opera unite) and uses the plain http protocol. The service
homepage is http://home.uid.operaunite.com/.

I was fascinated by this idea, so I decided to look at the security aspects
of the product (while it was in beta). Here are my findings in no particular
priority order (tested on 10.00 Beta 3 Build 1703). 

1. Enumerating Service Owner Usernames 

2. Enumerating Computer names for a particular Service Owner 

3. Enumerating Service Owner Server IP address and Port number 

4. Hijacking Insecure Communication in Service Pages 

5. Hosting Phishing Pages and other Malware on Trusted Operaunite.com 

6. CSRF-ing a File Upload from a Trusted User 

7. CSRF-ing a Note on the Fridge 

8. CSRF-Ing anyuserid to join a chatroom 

9. XSS ing the unite-session-id cookie, works for almost all services 

10. Clickjacking any Service Page 

11. Inconsistency in Password Policy for some services

Read details at
http://securethoughts.com/2009/08/pwning-opera-unite-with-infernos-eleven/

Thanks and Regards,
Inferno
Security Researcher
SecureThoughts.com