Opera GX Flaw Let Malicious Sites Auto-Install Mods to Steal Data From Visited Pages
A critical vulnerability in Opera GX allowed malicious websites to silently install browser mods without user consent or interaction. The installed mods utilized "universal CSS injection," applying styles across all visited pages to execute XS-Leak attacks. Researchers demonstrated stealing a full Gmail address by reconstructing it character-by-character using attribute selectors and background image requests. The flaw was rated P1 (critical) by Opera, patched in version 130.0.5847.89, and award
Analysis
TL;DR
- A critical vulnerability in Opera GX allowed malicious websites to silently install browser mods without user consent or interaction.
- The installed mods utilized "universal CSS injection," applying styles across all visited pages to execute XS-Leak attacks.
- Researchers demonstrated stealing a full Gmail address by reconstructing it character-by-character using attribute selectors and background image requests.
- The flaw was rated P1 (critical) by Opera, patched in version 130.0.5847.89, and awarded the maximum $5,000 bug bounty.
- The attack chain required zero clicks, leveraging automatic redirects to exfiltrate data before users could remove the mod.
Why It Matters
This incident highlights the severe security risks associated with features that allow automatic installation of third-party code, even if labeled as non-executable "mods." It demonstrates how visual styling mechanisms can be weaponized for significant data exfiltration, challenging the assumption that CSS-only attacks are limited to single-page contexts. For browser developers and security teams, it underscores the necessity of strict user consent flows and rigorous sandboxing for any auto-installable components.
Technical Details
- Silent Installation Vector: The vulnerability stemmed from Opera GX’s mod pipeline, which downloaded and enabled
.crxfiles via hidden iframes without prompting for approval, allowing immediate execution upon visiting a malicious site. - Universal CSS Injection: Unlike standard CSS injection confined to a single page, the installed mod’s CSS was applied globally to every subsequent page the user visited, enabling persistent access to sensitive data across sessions.
- XS-Leak Mechanism: Attackers used approximately 150,000 CSS rules with attribute selectors to test for specific substrings (trigrams) of target data. When a match occurred, the browser fetched a background image from the attacker’s server, revealing the character.
- Proof of Concept Execution: The researchers reconstructed a Gmail address by overlapping three-letter chunks, avoiding the memory limits encountered with four-letter chunks (which required 5.6 million rules). A JavaScript redirect triggered the data theft on Google’s account page immediately after mod installation.
- Secondary Impact: Loading a
.crxfile in Incognito mode caused a browser crash, dumping all open tabs, affecting both Opera GX and standard Opera browsers.
Industry Insight
Browser vendors must enforce explicit user consent for any automatic installation of extensions or mods, regardless of their perceived permissions or capabilities. Security teams should audit "cosmetic" or non-JavaScript features for potential abuse in data exfiltration techniques like CSS-based side-channel attacks. Additionally, bug bounty programs require specialized triage expertise to correctly identify complex, multi-stage attacks that may initially appear low-severity due to their reliance on user interaction assumptions.
Disclaimer: The above content is generated by AI and is for reference only.