I’m glad you’re here. Please have fun reading (@nmochea).

While using opera browser for android I noticed something strange the address bar in opera browser replaced by the reader mode and the web title added without any filter.

I know that I can trigger the xss in reader mode but i dont know where so this my conclusion visit the website with xss payload and click the reader mode then xss will trigger.

I was on the website I looked in reader mode but it did not show up hmm wtf so i looked another website, again, again but still not showing up the reader mode, I would have given up

but an idea entered my mind what if I compose my own payload and that is what I will read in reader mode maybe the xss payload trigger, so what site i can compose my payload and then i remember about google calendar you can write title and description its perfect for what I’m looking for.

Step to Reproduce

  • Open opera browser goto

https://calendar.google.com/calendar/u/0/r?pli=1

Title

“><img src=x onerror=alert(1);

Description

&lt;head>
&lt;/head>
&lt;body>
&lt;/script>
&lt;/body>

  • Goto inbox open the message and copy the message id from url address
  • Insert the message id to this link

https://mail.google.com/mail/u/0/?source=sync&tf=1&view=pt&th=[ID]&search=all&msg=[ID]

Hall of Fame

I’m added to Opera Security Hall of Fame in 2020 List of Hall of Fame.

Vulnerability Disclosure

Sep-23-2020: I emailed Opera Security Team regarding this vulnerability issue.

Sep-25-2020: I provided additional details and some screenshot as proof of concepts.

Sep-29-2020: The Opera Browser released an updated, the security team emailed me that the vulnerability has been fixed and ask me to reproduce again to confirmed the fixed.

Thanks for reading this article, I hope you guys learn something new today. Please share this article to spread the knowledge.

Security Researchers