Opera Software has warned 1.7 million Opera users about a potential attack on their Opera browser sync. This could expose passwords to hackers. The company posted a security bulletin on Friday warning users that Opera’s sync system was showing “signs” of attack and requested they change their Opera sync passwords.
“Our investigations continue, but some data, including some sync user passwords, account information such as login names may have been compromised,” Tarquin Wilton Jones stated in Opera’s securityblog.
Wilton-Jones stated that passwords stored using sync were encrypted, hashed, and then salted by the system. Wilton-Jones stated that the password reset was intended to be a preventative measure. Opera browser users that don’t use sync don’t have to do anything.
Tod Beardsley is a senior researcher at Rapid7. He applauded Opera Software’s raising of the red flag. However, he suggested users consider putting password and account sync in their own hands using “standalone” password managers, which are specifically designed with security in mind.
Beardsley made a prepared comment about the Opera sync hack. “Opera hasn’t disclosed the details of the shared password storage, but cryptographic best practice states that it doesn’t matter to defender whether the attacker knows the secrets kept.
An Opera developer note from 2015 states that password sync was introduced with Opera 031 browser release. employs the Nigori protocol to protect passwords. Google Chrome also started using the Nigori protocol to encrypt synched content around this time.
A technical description for the encryption scheme Nigori by Mozilla engineer Gregory Szorc
The Nigori encryption scheme uses the passphrase of the user and uses PBKDF2 to generate keys. First, it derives a 64-bit salt key, Suser. It uses 1001 iterations PBKDF2 and SHA1 with the username as its salt. It then performs three more PBKDF2 derivatives to create three 128-bit keys using the new salt key. These PBKDF2 iterations are 1003, 1003 and 1004 respectively. Kenc and Kuser use AES for the PBKDF2 algorithms. Kmac uses SHA-1. Kuser is used for authenticating the client to the server. Kmac and Kenc are used for signing and encrypting data. AES-128 is used to encrypt data in CBC mode using a 16-byte IV.
Ben Laurie the protocol author, said about Nigori: “It doesn’t require you trust anyone… Storage server(s), are incapable of getting the keying materials, and you can use splits if you wish to ensure that each server can’t even access the encrypted secrets.”
Opera Software has not made clear what Opera Software did to its storage servers and whether they were separated for additional protection.
Beardsley stated that although browser-based storage is convenient, it’s better than using the same 3-4 passwords every time. However password managers almost always employ safer designs and have more security features such as random password generation or password expiration.
Opera Software stated that it had emailed Opera sync users informing them of the incident. It also asked them to reset their passwords, not just for their sync accounts but all other sync accounts they might have used. Opera Software claims that less than 0.5% (1.7 million) of the 350 million users use Opera sync.