Simulated text inputs can trick users into uploading arbitrary files – Opera Security Advisories


Moderately Severe


Problem Description

When a user types into a file input, scripts can cause some of the keystrokes to be ignored. If the script can convince the user that they are typing into a normal text input, and not let them see that their keystrokes are being ignored, it can cause the input to point to known file paths on the user’s computer. The file can then be uploaded without user interaction.

Opera’s Response:

Opera Software has released Opera 9.26, where this issue has been fixed.


Thanks to Mozilla for reporting this issue to Opera Software.