D-04got10-01
· Level 191
random
Opera GX Flaw Let Malicious Sites Auto-Install Mods to Steal Data From Visited Pages
Researchers discovered a critical vulnerability in Opera GX, the gaming-focused version of the Opera browser, that allowed a malicious website to silently install a browser add-on and use it to extract data from pages a victim visits - without any clicks or approvals.
Key details:
- A malicious page could auto-install a GX Mod (a
.crxtheme file) by loading a hidden iframe, with the only sign being a small notification bar the user might not notice in time. - Mods ship CSS, not JavaScript, but their CSS applies to every site the browser visits - enabling a "universal CSS injection."
- Using roughly 150,000 CSS rules with attribute selectors, researchers demonstrated an XS-Leak that reconstructed a signed-in user's full Gmail address character by character.
- The redirect to Google's account page fires in the seconds before a user can hit the Remove button.
- Opera has patched this in Opera GX version 130.0.5847.89. Check yours at
opera://about. - The Bugcrowd bounty team initially rated it P3; researchers proved the point by catching the analyst's Gmail address during reproduction, and the rating was upgraded to P1 (critical), with the maximum $5,000 payout.
- Opera says it found no evidence of exploitation in the wild.
- A secondary crash bug in Incognito mode affects regular Opera too, when loading
.crxfiles.
This is not the first time an Opera feature has been turned against users - a similar auto-install issue was reported in 2023 and partially patched, but the underlying mechanism remained.
Source: The Hacker News
2
Comments
Less worse than the title makes you think ๐
Yeah. You often need to read the whole thing to gauge the threat level. Also, if you keep it up-to-date, you're mostly protected... unless the title reads 'zero day' && the article mentions 'remains unpatched at the time of this writing'.