Researchers found a flaw in Opera GX, the gaming-focused version of the Opera browser, that let a malicious website silently install a browser add-on and use it to lift specific data from the pages a victim visits.
In a proof of concept, they reconstructed a signed-in user’s full Gmail address from a single visit, with no click. Opera has patched the flaw and says it found no evidence that it was ever used in the wild.
The fix shipped in Opera GX version 130.0.5847.89, so anyone on a current build is already covered; you can confirm yours at opera://about. There is no CVE.
Because the attack needed no clicks or approvals, there was no workaround short of the patch. Opera’s bug bounty team rated the issue P1, its top severity, and paid the maximum $5,000 award for a critical bug.
How the attack works
GX Mods let you reskin Opera GX with custom sounds, themes, wallpapers, and CSS that restyles the sites you visit. They ship as .crx files, like browser extensions, but they cannot run JavaScript and hold no permissions.
The weakness is in how they install: Opera’s mod pipeline downloads and enables a mod automatically, with no approval prompt. So a malicious page can install one silently, for instance by loading a hidden iframe pointed at a .crx file.
The only sign is a notification bar below the address bar telling you a mod was added, with a Remove button.
This auto-install behavior is not new. The researcher Renwa identified it back in 2023 and, by escalating an installed mod into a full extension, used it to spoof the browser’s address bar. Opera patched that specific attack in March 2023 but left the underlying auto-install in place, which is what this new research builds on.
A silent look-and-feel mod sounds harmless on its own. But a mod’s CSS is applied to every page you visit, not just one. Ordinary CSS injection is confined to the page it lands on; here, the attacker’s styling reaches every site the browser opens, a technique the researchers call a universal CSS injection.
CSS cannot read a page and send it off on its own. But it can be coaxed into leaking a value one piece at a time. The trick relies on attribute selectors: a rule can test whether an element’s attribute value, like an email tucked into a hidden field, begins with a given letter, and fetch a background image from the attacker’s server only when it does. Fire enough of these, and you learn the value character by character.
Researchers call this an XS-Leak, short for cross-site leak. To pull a Gmail address, the researchers aimed this at a Google account page, myaccount.google.com/contactemail, that carries the address inside three of its HTML attributes.
They packed a mod with roughly 150,000 CSS rules, one set for every possible three-letter piece of the address, and let a reconstruction script stitch the matches back together. They first tried four-letter pieces, which needed 5.6 million rules and about 880 MB of CSS. The browser choked, so they scaled down to three-letter chunks that overlap just enough to reassemble.
Chaining it together took only a nudge. The victim lands on the attacker’s page, the mod installs within seconds, and a few lines of JavaScript then redirect the browser to the Google account page. The mod’s CSS is already loaded there, so it fires the requests and leaks the address as the page renders, before the victim can reach the notice’s Remove button.
The Gmail address was just the proof of concept; the same approach can lift other values a page exposes in its markup, like a username.
The same auto-install path has a second, cruder use the researchers documented: loading a .crx while in private (Incognito) mode crashes the browser and dumps every open tab. This one hits regular Opera too, not just Opera GX, since any .crx trips the extension-install pipeline, whatever it contains. Opera’s advisory addresses the data-theft fix and does not mention the crash.
Severity and the bigger picture
The report almost did not get its due. Opera runs its bounty program on Bugcrowd, and the triage analysts struggled to grasp what the bug did, first rating it a middling P3.
The researchers made their case in an unusually direct way: while an analyst was reproducing the attack, they caught the analyst’s own trigrams, rebuilt the analyst’s Gmail address, and pasted it into the report. Opera’s team then raised the severity to P1 and paid the $5,000 critical-tier maximum.
Opera’s own account is more measured. In its advisory, the company says it is “quite confident” the flaw was never exploited in the wild, and frames the attack as complicated to pull off: the victim had to land on a malicious site, end up with a fresh mod, and ignore the removal notice long enough for the redirect to fire.
The researchers’ demo is the counterweight. Their redirect runs in the seconds before a user can even read the notice, let alone click Remove. It was a narrow, fiddly attack that Opera found no trace of in the wild, and it still worked with zero clicks once it was set up.
The risk here was never the cosmetic feature by itself. It was reach. Once a mod’s CSS could follow you from one site to the next, “just styling” turned out to be plenty.
That is the twist on a familiar idea: CSS-only theft usually stays trapped on the page where it is injected, as in PortSwigger’s Blind CSS Exfiltration research, but here it rode along on every site the victim opened.
It is also not the first Opera feature turned against its users; The Hacker News covered the 2024 MyFlaw bug in Opera’s My Flow, and Opera had been warned about this very auto-install behavior since 2023.
📰 Original Source:TheHackerNews ✍️ Author: info@thehackernews.com (The Hacker News)
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Leave a Reply