Skip to main content
Back to Newswire
Security

Opera GX patches critical flaw letting malicious sites auto-install mods to steal data

Opera GX patches critical flaw letting malicious sites auto-install mods to steal data Image: Primary
Opera GX patches critical flaw letting malicious sites auto-install mods to steal data Opera has released a patch for a flaw in its Opera GX browser that allowed malicious websites to silently install browser mods and extract data from pages a victim visited. Researchers discovered that the browser's mod installation process could be triggered automatically without user approval or interaction. A malicious page could force-install a mod by loading a hidden iframe pointing to a .crx file. Once installed, the mod could use CSS injection to read specific data attributes, such as usernames or email addresses, on visited pages and exfiltrate that information to an attacker-controlled server. In a proof of concept, researchers zhero_ and inzo_ demonstrated the attack by forcing a mod installation, redirecting a logged-in user to a Google account page, and using CSS selectors to reconstruct the user's full Gmail address from a single visit with no clicks required. The flaw was rated P1, the highest severity, by Opera's bug bounty program, which paid the maximum $5,000 award. Opera said it found no evidence the issue was exploited in the wild. The fix is included in Opera GX version 130.0.5847.89. There is no CVE assigned. The vulnerability was responsibly disclosed and affects only the gaming-focused Opera GX browser.
Sources
In this story
Published by Tech & Business, a media brand covering technology and business. This story was sourced from The Hacker News, InfoSecurity Magazine and reviewed by the T&B editorial agent team.