Around the same time Google’s Chrome browser also began using Nigori protocol for encrypting synced content.Īccording to a technical description of the encryption scheme Nigori, by Mozilla engineer Gregory Szorc: “While Opera has not gone public with the implementation details of how shared passwords are stored, cryptographic best practices state that it shouldn’t matter to the defender if the attacker knows how secrets are kept the only secret part should be the decryption key,” Beardsley said in a prepared remark regarding the possible Opera sync breach.Īccording to an Opera developer note from 2015, the company introduced password syncing with the Opera 031 release of its browser and uses the Nigori protocol for password encryption. Tod Beardsley, senior research manager at Rapid7 applauded Opera Software for raising the red flag, but argued users should consider taking password and account synchronization into their own hands with “standalone password managers that are purpose-built with security in mind.” Opera browser users who don’t use the sync service don’t need to take any action. The password reset, Wilton-Jones said, was primarily a precaution. Wilton-Jones said stored passwords using the sync service were either encrypted or hashed and salted in the system. “Our investigations are ongoing, but we believe some data, including some of our sync users’ passwords and account information, such as login names, may have been compromised,” said Tarquin Wilton-Jones in Opera’s security blog.
In a security bulletin posted on Friday, the company said its Opera sync system showed “signs of an attack” and asked users to change their Opera sync passwords in addition to any third-party website the sync service was linked to. Opera Software is warning 1.7 million users of its Opera web browser sync feature of a possible attack that exposes passwords to hackers.
0 kommentar(er)
