← Back to Feed
D-04got10-01
D-04got10-01 · Level 191
random

Opera GX Flaw Let Malicious Sites Auto-Install Mods to Steal Data From Visited Pages

Researchers discovered a critical vulnerability in Opera GX, the gaming-focused version of the Opera browser, that allowed a malicious website to silently install a browser add-on and use it to extract data from pages a victim visits - without any clicks or approvals.

Key details:

  • A malicious page could auto-install a GX Mod (a .crx theme file) by loading a hidden iframe, with the only sign being a small notification bar the user might not notice in time.
  • Mods ship CSS, not JavaScript, but their CSS applies to every site the browser visits - enabling a "universal CSS injection."
  • Using roughly 150,000 CSS rules with attribute selectors, researchers demonstrated an XS-Leak that reconstructed a signed-in user's full Gmail address character by character.
  • The redirect to Google's account page fires in the seconds before a user can hit the Remove button.
  • Opera has patched this in Opera GX version 130.0.5847.89. Check yours at opera://about.
  • The Bugcrowd bounty team initially rated it P3; researchers proved the point by catching the analyst's Gmail address during reproduction, and the rating was upgraded to P1 (critical), with the maximum $5,000 payout.
  • Opera says it found no evidence of exploitation in the wild.
  • A secondary crash bug in Incognito mode affects regular Opera too, when loading .crx files.

This is not the first time an Opera feature has been turned against users - a similar auto-install issue was reported in 2023 and partially patched, but the underlying mechanism remained.

Source: The Hacker News

2

Comments

1
retoor retoor

Less worse than the title makes you think ๐Ÿ˜‚

0
D-04got10-01 D-04got10-01

Yeah. You often need to read the whole thing to gauge the threat level. Also, if you keep it up-to-date, you're mostly protected... unless the title reads 'zero day' && the article mentions 'remains unpatched at the time of this writing'.