Opera’s HTTP authentication cuts off long server names at the end – Opera Security Advisories


Opera’s HTTP authentication dialog cuts off long server name at the right hand end.

Severity: Less severe

Problem description

Opera’s HTTP authentication dialog is displayed when the user enters a Web pagethat requires a login name and a password. To inform the user which server itwas that asked for login credentials, the dialog displays the server name.

The user has to see the entire server name. A truncated name can be misleading.Opera’s authentication dialog cuts off the long server names at the right handside, adding an ellipsis (…) to indicate that it has been cut off.

The dialog has a predictable size, allowing an attacker to create a server namewhich will look almost like a trusted site, because the real domain name hasbeen cut off. The three dots at the end will not be obvious to all users.

This flaw can be exploited by phishers who can set up custom sub-domains,for example by hosting their own public DNS.

Opera’s response

Opera Software has released Opera 9.22, which does not truncate long servernames in the authentication dialog. If the name is too long to fit insidethe dialog, it scrolls back and forth to show the full server name.