Opera GX Vulnerability Allowed Silent Mod Installation And User Data Exposure

Opera GX Vulnerability Allowed Silent Mod Installation And User Data Exposure

Researchers have disclosed a security flaw in Opera GX that allowed malicious websites to silently install browser mods capable of extracting sensitive information from webpages visited by users. The vulnerability affected the gaming focused version of the Opera browser and demonstrated how attackers could abuse the browser’s automatic mod installation process to gather information without requiring any user interaction. As part of a proof of concept, researchers successfully reconstructed a signed in user’s full Gmail address after a single visit to a malicious website without requiring any clicks or approvals. Opera has confirmed that the issue has been patched in Opera GX version 130.0.5847.89 and stated that it found no evidence indicating the vulnerability had been exploited in real world attacks. The company also noted that the issue was assigned its highest bug bounty severity rating and awarded the maximum payout of 5,000 dollars to the researcher responsible for reporting it. Since the attack required no user approval, there was no practical workaround other than installing the updated browser version.

The vulnerability centered on Opera GX Mods, a feature that allows users to customize the browser with themes, wallpapers, sounds, and CSS styling for websites. Although these mods cannot execute JavaScript or request browser permissions like traditional extensions, researchers found that Opera automatically downloaded and enabled them without displaying an approval prompt. A malicious website could exploit this behavior by loading a hidden iframe that pointed to a specially crafted CRX package, causing the browser to silently install the mod. The only visible indication was a notification bar beneath the address bar informing users that a new mod had been added and providing an option to remove it. Researchers explained that this automatic installation mechanism had previously been identified in 2023 by security researcher Renwa, who demonstrated that installed mods could be escalated into full browser extensions capable of spoofing the browser address bar. Opera addressed that earlier attack in March 2023 but retained the automatic installation mechanism, which became the foundation for this newly disclosed research. The latest findings show that even a feature intended only for cosmetic customization can introduce security risks when deployed without sufficient user consent or validation.

Researchers described the attack as a universal CSS injection technique because the malicious styling applied by the installed mod remained active across every website visited by the browser rather than being limited to a single webpage. Although CSS cannot directly read webpage content or transmit data, attackers used specially crafted attribute selectors to infer information one character at a time. The proof of concept targeted a Google account page containing a signed in user’s email address embedded within HTML attributes. By deploying approximately 150,000 CSS rules covering every possible three character combination, the malicious mod triggered requests to an attacker controlled server whenever matching character sequences appeared on the page. Those responses allowed researchers to reconstruct the complete Gmail address through overlapping character patterns. The attack began when a victim visited a malicious website, which silently installed the browser mod before automatically redirecting the browser to the Google account page. Because the malicious CSS had already been loaded, the data extraction process completed before most users could notice or remove the installed mod. Researchers noted that while Gmail addresses were used to demonstrate the attack, the same approach could potentially recover usernames or other sensitive values exposed within webpage markup.

The research also documented a separate issue involving the browser’s extension installation process. Loading a CRX package while browsing in private mode caused the browser to crash and close every open tab. Unlike the primary vulnerability, this crash reportedly affected both Opera GX and the standard Opera browser because both products shared the same extension installation mechanism. Opera’s security advisory addressed the data exposure vulnerability but did not reference the browser crash. Initially, the vulnerability received a moderate severity rating through Opera’s Bugcrowd bug bounty program because analysts underestimated its impact. Researchers later demonstrated the seriousness of the issue by reconstructing an analyst’s own Gmail address during the review process, prompting Opera to reclassify it as a critical vulnerability with the highest priority rating. Opera maintained that exploiting the flaw required victims to visit a malicious website, receive a new browser mod, and remain on the page long enough for the redirect to occur. However, researchers argued that the entire attack completed within seconds and required no user interaction once the malicious page loaded. The findings also build upon previous browser security research, including PortSwigger’s Blind CSS Exfiltration technique and the MyFlaw issue disclosed in Opera’s My Flow feature during 2024, demonstrating that browser customization features can introduce unintended security risks when their capabilities extend across multiple websites.

Source

Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.

Post Comment