Opera

Summary

Opera's HTTP authentication dialog cuts off long server name at the right hand end.

Severity: Less severe

Problem description

Opera's HTTP authentication dialog is displayed when the user enters a Web page that requires a login name and a password. To inform the user which server it was that asked for login credentials, the dialog displays the server name.

The user has to see the entire server name. A truncated name can be misleading. Opera's authentication dialog cuts off the long server names at the right hand side, adding an ellipsis (...) to indicate that it has been cut off.

The dialog has a predictable size, allowing an attacker to create a server name which will look almost like a trusted site, because the real domain name has been cut off. The three dots at the end will not be obvious to all users.

This flaw can be exploited by phishers who can set up custom sub-domains, for example by hosting their own public DNS.

Opera's response

Opera Software has released Opera 9.22, which does not truncate long server names in the authentication dialog. If the name is too long to fit inside the dialog, it scrolls back and forth to show the full server name.