Opera GX flaw let sites silently install mod and leak data

by

Researchers found a flaw in Opera GX that let a malicious website silently install a browser mod and use it to extract data from pages a victim visited, including a full Gmail address in a proof of concept, according to a technical analysis. Opera patched the issue in version 130.0.5847.89 and said it found no evidence of abuse in the wild.

KEY FACTS

  • Impact A malicious site could install a GX Mod without a click or approval.
  • Proof of concept Researchers reconstructed a signed-in user’s Gmail address from one visit.
  • Fix Opera GX version 130.0.5847.89 includes the patch.
  • Severity Opera’s bug bounty team rated it P1 and paid the $5,000 maximum award.

GX Mods are designed to change sounds, themes, wallpapers and site styling. They ship as .crx files, but the install path lets Opera download and enable them automatically, which is how a hidden iframe could trigger the process.

The mod itself cannot run JavaScript and does not hold permissions, but its CSS applies to every page the browser opens. The report says that reach made it possible to use attribute selectors to test page content and leak values one character group at a time.

Researchers said they used about 150,000 CSS rules to recover three-letter chunks of a Gmail address from a Google account page. They first tried four-letter chunks, but the browser could not handle the roughly 5.6 million rules and 880 MB of CSS needed.

The same installation path could also crash Opera in private mode when a .crx file was loaded, which dumped open tabs. Opera’s advisory said it was confident the flaw was not exploited in the wild and did not mention the crash.

WHY IT MATTERS

The issue showed that a feature intended for browser customization could be turned into a cross-site data leak if it can follow a user from one page to the next. Opera has fixed the flaw, but users on older builds may still be exposed until they update.