Security researchers have identified a critical vulnerability in Opera GX, the gaming-centric variant of the Opera browser, which permitted malicious websites to silently install browser mods and extract sensitive data from users’ browsing sessions. This flaw has been addressed in the latest browser update.
Understanding the Vulnerability
Opera GX offers a feature called GX Mods, enabling users to customize their browsing experience with unique sounds, themes, wallpapers, and CSS modifications. These mods are packaged as .crx files, similar to browser extensions, but are designed without the capability to execute JavaScript or access additional permissions.
The core issue lay in the mod installation process. Opera GX’s system automatically downloaded and activated mods without requiring user approval. This allowed a malicious website to covertly install a mod by embedding a hidden iframe that pointed to a .crx file. The only indication of this installation was a subtle notification bar beneath the address bar, offering a ‘Remove’ button.
Exploitation Mechanism
While GX Mods are intended to enhance the browser’s aesthetics, their CSS is applied universally across all visited websites. This universal application enabled attackers to inject CSS that could extract data from any webpage the user accessed. By leveraging CSS attribute selectors, attackers could systematically determine specific values, such as email addresses, by triggering requests to their servers when certain conditions were met. This method, known as a cross-site leak (XS-Leak), allowed the reconstruction of sensitive information like a user’s Gmail address without any user interaction.
In a proof-of-concept demonstration, researchers crafted a mod containing approximately 150,000 CSS rules, each targeting potential three-letter segments of an email address. When a user visited a malicious site, the mod installed silently, and a script redirected the browser to a Google account page displaying the user’s email. The mod’s CSS then initiated requests that leaked the email address character by character as the page loaded, all before the user could react to the notification.
Response and Mitigation
Upon disclosure, Opera promptly addressed the vulnerability by releasing a patch in Opera GX version 130.0.5847.89. Users are advised to verify their browser version by navigating to opera://about to ensure they are protected. The company has stated that there is no evidence of this flaw being exploited in the wild.
Given the attack’s zero-click nature, no interim workaround was available prior to the patch. Opera’s bug bounty program recognized the severity of the issue, classifying it as a P1 (top severity) vulnerability and awarding the maximum bounty of $5,000 to the reporting researchers.
It’s noteworthy that the auto-installation behavior of GX Mods had been previously identified as a potential security risk. In 2023, a researcher exploited this mechanism to spoof the browser’s address bar, leading to a patch that addressed that specific exploit but left the underlying auto-installation process unchanged. This recent vulnerability underscores the importance of reevaluating and securing such features comprehensively.
While Opera has taken swift action to rectify this issue, it serves as a reminder of the potential risks associated with browser customization features. Users should remain vigilant, keep their software updated, and be cautious of unexpected browser behaviors to mitigate potential security threats.