While looking at Opera functionalities I stumbled upon the built-in VPN inside the browser and I was able to find a technique that allow an attacker to bypass the VPN connection and get the users real IP.
You can enable the VPN in settings and starting using it
There is another functionality called
Bypass VPN for default search engines that means if you're using google then the VPN will be shutdown for every search you make and surf you do on
google.com, the same thing happens for any other default search engine you have like yandex, duckduckgo..
But there is a problem, search engines these days are very powerful and can do many things not just finding pages, you can ask them questions and they will answer it for you, for example you can say
what's my ip and will show your IP without going to any other site.
And most of these search engines have an API that allows to retrieve answers from other cross site requests, for example
https://api.duckduckgo.com/?q=where%20is%20paris&format=json&pretty=1 it will show the answer and the problem is you can use this API to get the real IP of the user, POC:
Steps to reproduce:
1.Go to settings and change your default search engine to DuckDuckGo
2.Enable VPN and check on the bypass for default search engines
https://whatismyipaddress.com/ to see your new IP with VPN
https://mydomain/opera_vpn_bypass.html to see your IP that we bypassed using the bugs described above
Code used in my domain:
Reported 27 sep 2021 and patched after 3 months. Bounty: 1k$