Opera Software is warning 1.7 million users of its Opera web browser sync feature of a possible attack that exposes passwords to hackers. In a security bulletin posted on Friday, the company said its Opera sync system showed “signs of an attack” and asked users to change their Opera sync passwords in addition to any third-party website the sync service was linked to.
“Our investigations are ongoing, but we believe some data, including some of our sync users’ passwords and account information, such as login names, may have been compromised,” said Tarquin Wilton-Jones in Opera’s security blog.
Wilton-Jones said stored passwords using the sync service were either encrypted or hashed and salted in the system. The password reset, Wilton-Jones said, was primarily a precaution. Opera browser users who don’t use the sync service don’t need to take any action.
Tod Beardsley, senior research manager at Rapid7 applauded Opera Software for raising the red flag, but argued users should consider taking password and account synchronization into their own hands with “standalone password managers that are purpose-built with security in mind.”
“While Opera has not gone public with the implementation details of how shared passwords are stored, cryptographic best practices state that it shouldn’t matter to the defender if the attacker knows how secrets are kept; the only secret part should be the decryption key,” Beardsley said in a prepared remark regarding the possible Opera sync breach.
According to an Opera developer note from 2015, the company introduced password syncing with the Opera 031 release of its browser and uses the Nigori protocol for password encryption. Around the same time Google’s Chrome browser also began using Nigori protocol for encrypting synced content.
According to a technical description of the encryption scheme Nigori, by Mozilla engineer Gregory Szorc:
This (Nigori) encryption scheme takes the user-supplied passphrase and uses PBKDF2 (Password-Based Key Derivation Function 2) to derive keys. It first derives a 64 bit salt key, Suser, using 1001 iterations of PBKDF2 with SHA1 using the username as the salt. Then, it performs 3 more PBKDF2 derivations to produce three 128 bit keys from the original passphrase using the newly-derived salt key, producing Kuser, Kenc, and Khmac. For these, the PBKDF2 iteration counts are 1002, 1003, and 1004, respectively. Kuser and Kenc use AES as the PBKDF2 algorithm. Kmac uses SHA-1. Kuser is used to authenticate the client with the server. Kenc and Kmac are used to encrypt and sign data, respectively. Data is encrypted with AES-128 in CBC mode with a 16 byte IV.
The protocol’s author Ben Laurie said of Nigori, “It doesn’t require you to trust anyone… The storage server(s) are incapable of getting hold of the keying material, and if you want you can use splits to ensure that individual servers can’t even attack the encrypted secrets.”
It’s unclear what Opera Software’s implementation of its storage servers were and if they were split for added protection.
“Browser-based storage for credentials is certainly convenient and better than reusing the same three to four passwords everywhere, but password managers are nearly always going to employ more secure designs and offer more secure features like random password generation and password expiration,” Beardsley said.
Opera Software said it has notified Opera sync users via email informing them about the incident and asked them to change their passwords for not only their sync account, but any other accounts that they may have used with the sync feature. Opera Software says of its 350 million browser users less than 0.5 percent (1.7 million) use its Opera sync service.