AI Security AI安全 4d ago Updated 4d ago 更新于 4天前 46

Opera GX Flaw Let Malicious Sites Auto-Install Mods to Steal Data From Visited Pages Opera GX漏洞允许恶意网站自动安装插件以窃取访问页面数据

A critical vulnerability in Opera GX allowed malicious websites to silently install browser mods without user consent or interaction. The installed mods utilized "universal CSS injection," applying styles across all visited pages to execute XS-Leak attacks. Researchers demonstrated stealing a full Gmail address by reconstructing it character-by-character using attribute selectors and background image requests. The flaw was rated P1 (critical) by Opera, patched in version 130.0.5847.89, and award Opera GX存在严重安全漏洞,允许恶意网站静默安装浏览器插件(Mod),无需用户点击或授权。 攻击者利用“通用CSS注入”技术,通过属性选择器逐字符窃取用户跨站数据(如Gmail地址),实现零点击数据泄露。 该漏洞被Opera评为最高严重等级P1,已发布补丁修复,但官方确认无证据表明其在野外被实际利用。 攻击原理基于2023年发现的自动安装机制,研究人员通过重构分析师自身邮箱地址证明了PoC的有效性。 除数据窃取外,同一漏洞路径在隐私模式下加载.crx文件可导致浏览器崩溃并泄露所有标签页信息。

65
Hot 热度
70
Quality 质量
60
Impact 影响力

Analysis 深度分析

TL;DR

  • A critical vulnerability in Opera GX allowed malicious websites to silently install browser mods without user consent or interaction.
  • The installed mods utilized "universal CSS injection," applying styles across all visited pages to execute XS-Leak attacks.
  • Researchers demonstrated stealing a full Gmail address by reconstructing it character-by-character using attribute selectors and background image requests.
  • The flaw was rated P1 (critical) by Opera, patched in version 130.0.5847.89, and awarded the maximum $5,000 bug bounty.
  • The attack chain required zero clicks, leveraging automatic redirects to exfiltrate data before users could remove the mod.

Why It Matters

This incident highlights the severe security risks associated with features that allow automatic installation of third-party code, even if labeled as non-executable "mods." It demonstrates how visual styling mechanisms can be weaponized for significant data exfiltration, challenging the assumption that CSS-only attacks are limited to single-page contexts. For browser developers and security teams, it underscores the necessity of strict user consent flows and rigorous sandboxing for any auto-installable components.

Technical Details

  • Silent Installation Vector: The vulnerability stemmed from Opera GX’s mod pipeline, which downloaded and enabled .crx files via hidden iframes without prompting for approval, allowing immediate execution upon visiting a malicious site.
  • Universal CSS Injection: Unlike standard CSS injection confined to a single page, the installed mod’s CSS was applied globally to every subsequent page the user visited, enabling persistent access to sensitive data across sessions.
  • XS-Leak Mechanism: Attackers used approximately 150,000 CSS rules with attribute selectors to test for specific substrings (trigrams) of target data. When a match occurred, the browser fetched a background image from the attacker’s server, revealing the character.
  • Proof of Concept Execution: The researchers reconstructed a Gmail address by overlapping three-letter chunks, avoiding the memory limits encountered with four-letter chunks (which required 5.6 million rules). A JavaScript redirect triggered the data theft on Google’s account page immediately after mod installation.
  • Secondary Impact: Loading a .crx file in Incognito mode caused a browser crash, dumping all open tabs, affecting both Opera GX and standard Opera browsers.

Industry Insight

Browser vendors must enforce explicit user consent for any automatic installation of extensions or mods, regardless of their perceived permissions or capabilities. Security teams should audit "cosmetic" or non-JavaScript features for potential abuse in data exfiltration techniques like CSS-based side-channel attacks. Additionally, bug bounty programs require specialized triage expertise to correctly identify complex, multi-stage attacks that may initially appear low-severity due to their reliance on user interaction assumptions.

TL;DR

  • Opera GX存在严重安全漏洞,允许恶意网站静默安装浏览器插件(Mod),无需用户点击或授权。
  • 攻击者利用“通用CSS注入”技术,通过属性选择器逐字符窃取用户跨站数据(如Gmail地址),实现零点击数据泄露。
  • 该漏洞被Opera评为最高严重等级P1,已发布补丁修复,但官方确认无证据表明其在野外被实际利用。
  • 攻击原理基于2023年发现的自动安装机制,研究人员通过重构分析师自身邮箱地址证明了PoC的有效性。
  • 除数据窃取外,同一漏洞路径在隐私模式下加载.crx文件可导致浏览器崩溃并泄露所有标签页信息。

为什么值得看

本文揭示了浏览器扩展机制中“静默安装”与“全局CSS注入”结合带来的新型数据泄露风险,为理解零点击攻击提供了具体案例。对于安全从业者和浏览器开发者而言,它强调了即使看似无害的功能(如皮肤Mod)若缺乏严格的权限隔离和安装确认,也可能成为严重的隐私漏洞入口。

技术解析

  • 漏洞核心机制:Opera GX的Mod管道允许自动下载并启用.crx文件,无需用户审批。恶意页面可通过隐藏iframe触发此过程,随后利用JS重定向用户至目标站点(如Google账户页)。
  • 数据窃取技术(XS-Leak):利用CSS属性选择器测试页面元素属性值的前缀。攻击者打包约15万条CSS规则,针对三字母组合进行匹配,当匹配成功时向攻击者服务器发起背景图片请求,从而逐字符重构敏感信息(如邮箱地址)。
  • 性能优化与限制:初始尝试使用四字母组合需560万条规则和880MB CSS导致浏览器卡顿,因此调整为重叠的三字母块以平衡覆盖率与资源消耗。
  • 其他利用场景:在隐私模式下加载恶意.crx可引发浏览器崩溃,导致所有打开的标签页信息泄露;该问题同样影响标准版Opera。
  • 修复措施:Opera在版本130.0.5847.89中修复了数据窃取相关的自动安装逻辑,但未提及隐私模式下的崩溃问题。

行业启示

  • 最小权限原则的重要性:浏览器功能设计应严格限制插件或Mod的作用域,避免全局样式注入能力被滥用为数据泄露通道,需重新评估“无权限”Mod的安全边界。
  • 自动化安装流程的风险管控:任何无需用户显式确认的软件组件安装机制都构成高危面,必须引入强验证或沙箱隔离,防止恶意页面利用自动安装链进行持久化攻击。
  • 漏洞赏金计划的沟通效率:本案显示,复杂的技术概念(如CSS盲注结合自动安装)可能导致安全团队初期误判严重性,研究人员需通过直观、直接的PoC演示来加速定级和响应流程。

Disclaimer: The above content is generated by AI and is for reference only. 免责声明:以上内容由 AI 生成,仅供参考。

Security 安全