Hidden keyboard navigation can allow cross site scripting or code execution – Opera Security Advisories

Severity

Moderate

Description

When a user is interacting with a window, that window should be visible to the user, to ensure that the user realizes it is there. If a page is displayed in a small enough window, the user may not realize it is being displayed, and if the right keyboard sequence is carefully followed, they can end up performing undesirable actions on that page. Similar attacks could also be used against Opera’s preferences to change preferences or select executables to be run by Opera. Additional social engineering steps are needed to ensure that the user presses the correct key sequence, without being able to show any relevant visual feedback, as the page cannot see that the keys are being pressed.

Opera’s Response

Opera Software has released Opera 12 and Opera 11.65, where this issue has been fixed. Web authors are encouraged to use the x-frame-options header, and similar clickjacking protections to ensure that their pages cannot be targeted by keyboard variations of clickjacking attacks.

Credits

Thanks to Jordi Chancel for reporting this issue to Opera Software.