Opera has fixed a serious security vulnerability in Opera GX, its gaming-focused web browser, after researchers discovered that a malicious website could silently install a browser mod and use it to steal sensitive information from websites a victim visits.

In a proof-of-concept attack, researchers successfully recovered a signed-in user’s full Gmail address after the victim visited a malicious webpage just once, without clicking or approving anything.

The security issue has been patched in Opera GX version 130.0.5847.89, and Opera says it found no evidence that the flaw was ever exploited in real-world attacks. Users running the latest version are already protected. The company also confirmed that the vulnerability did not receive a CVE identifier. Because the attack required no user interaction, there was no practical workaround other than installing the security update. Opera’s bug bounty team classified the flaw as a P1 critical issue, its highest severity level, and awarded the researchers the maximum $5,000 bounty.

The vulnerability was linked to GX Mods, a feature that lets users customize Opera GX with themes, wallpapers, sounds, and CSS-based website styling. Unlike traditional browser extensions, GX Mods cannot run JavaScript or request browser permissions. However, Opera automatically downloaded and enabled these mods without asking for user approval. Researchers showed that a malicious website could abuse this behavior by silently loading a hidden iframe pointing to a specially crafted mod file.

Although the installed mod could not execute JavaScript, its CSS was automatically applied to every website the victim visited. Researchers used this capability to create what they described as a universal CSS injection attack. By exploiting CSS attribute selectors, the malicious stylesheet could detect small pieces of information stored in webpage attributes and trigger requests back to an attacker-controlled server. These requests allowed the researchers to reconstruct hidden values one segment at a time.

READ
Nissan Confirms Employee Data Breach After Oracle PeopleSoft Zero-Day Attack

To demonstrate the attack, the researchers targeted a Google account page containing the user’s Gmail address within HTML attributes. They created a massive CSS file containing around 150,000 rules that tested every possible three-character combination of the email address. As the page loaded, matching CSS rules generated network requests that gradually revealed the full Gmail address. The browser was redirected to the Google page immediately after the mod installed, allowing the attack to complete before most users could even notice the notification offering to remove the newly installed mod.

The researchers said the Gmail address was only a demonstration. The same technique could potentially extract other sensitive information exposed in webpage markup, including usernames and similar account details.

The research also uncovered a separate issue affecting both Opera GX and the standard Opera browser. Opening a browser extension file while browsing in private mode could crash the browser and force all open tabs to close. Opera’s security advisory addressed the data-leak vulnerability but did not mention the browser crash.

The vulnerability was initially underestimated during the bug bounty review process and received a medium-severity rating. The researchers later demonstrated the seriousness of the flaw by reconstructing the Gmail address of the security analyst reviewing the report, prompting Opera to raise the issue to its highest severity level.


Buy ExpressVPN with PayPal or Credit Card

Opera maintains that the attack was difficult to carry out because victims first had to visit a malicious website, allow the automatic installation to occur, and remain on the page long enough for the redirect to complete. However, the researchers argued that the entire attack happened within seconds and required no clicks or user approval, making it nearly impossible for victims to stop once triggered.

READ
Hackers Launch 81 Million Microsoft 365 Login Attempts in Massive Password Spraying Campaign
Advertisement