WAP form content can be leaked to other sites – Opera Security Advisories




When accepting user input in form fields on a WAP page, WML requires that the input contents are remembered, and used to populate every further input sharing the same name. This should continue as long as the user continues to click links (known as a WAP session), even populating similarly named inputs on other sites. WAP site authors are expected to remove sensitive information from the browser context by clearing the variables containing this information. Failure to clear this information could lead to the sensitive information being leaked to other sites that are linked to.

When the user creates a new WAP session by manually entering a new URL to visit, any existing variables are supposed to be cleared. Opera failed to clear the variables in this case, allowing sensitive information to be leaked to unrelated sites even if the user manually navigated to those sites, not just when accessed through links.

Opera’s response

Opera Software has released Opera 11.00, where this issue has been fixed. WML still requires WAP site authors to clear any variables containing sensitive information, to avoid that information being leaked to sites that are accessed through links. Authors are encouraged to use HTML and HTTP in place of WML and WAP.