Severity
Description
Video content may be used as filler content for a HTML5 canvas, if the video format is natively supported by Opera. If the video and page are from the same site, the content of the canvas can be safely read out by scripts. In some cases, Opera does not check the video’s origin correctly, and may allow videos from unrelated sites to be used as canvas content, without protecting the content from scripts.
Provided that an attacker knows the address of a private video stream that the user has access to, and they can convince the user to open a malicious page, they can extract and read the frames of that video via the canvas, and send them to their chosen destination.
Opera’s response
Opera Software has released Opera 10.63, where this issue has been fixed.
Credits
Thanks to Nirankush Panchbhai of Microsoft Vulnerability Research (MSVR) for reporting this issue to Opera Software.