We have noticed some misleading media articles regarding the so-called “MyFlaw” vulnerability that allegedly puts Opera users at risk. This is NOT true. The coverage presents this as an active vulnerability that could compromise users’ security. It is not – Opera actively worked with researchers to address it two months ago.
This vulnerability, which no longer exists, was identified as part of a collaboration with security researchers Guardio Labs, and was subsequently fixed within only five days – as such, Opera users are not at risk.
This, and the blog post by Guardio Labs that followed the fix, is part of ongoing work that all software companies do with security researchers to safely and quickly identify and fix vulnerabilities. The responsible disclosure of such vulnerabilities should serve to inform, not panic users.
Details of the removed vulnerability in brief:
- The vulnerability in question was identified by Guardio Labs two months ago, and Opera was immediately alerted. It was fixed within five days.
- There is no evidence that the vulnerability was exploited nor that Opera users’ security was compromised as a result.
- The vulnerability in question required the user to install a malicious extension – something that is very hard to do on Opera as we use manual review in our add-ons store to further enhance security and user safety.
- Finding, fixing, and then disclosing vulnerabilities is a standard security practice that enhances safety and security rather than compromise it.
Strengthening security through collaboration
We constantly work with security researchers and specialists from around the world who help identify vulnerabilities or gaps and then responsibly alert us so we can address them. This is a standard practice among software companies, which keeps users safe by quickly discovering and fixing vulnerabilities before malicious actors are able to exploit them.
In this case, in November 17, 2023, we were alerted to a vulnerability of our MyFlow file sharing system by security researchers Guardio Labs. The team discovered a way that an attacker could exploit this vulnerability through a malicious browser extension. For a user to open themselves to this attack would require them to deliberately download and interact with a malicious file, and then disable security features which Opera warns about – in other words, a process that the average user would be very unlikely to go through.
Upon discovering the flaw, Guardio Labs immediately and responsibly reached out to us with all the necessary details. Our team got to work right away to address the vulnerability, and a fix was released just five days later, on November 22nd, 2023. Guardio Labs subsequently helped verify the fix and released a report on their findings this week – two months after this incident, which to our knowledge has not affected any of our users.
No evidence of compromised security
There is no evidence that the vulnerability was ever exploited, and Opera users’ security was never compromised as a result. It’s also important to note that, as mentioned above, the vulnerability would require the installation of a malicious add-on in order to work. This would be very hard to accomplish on Opera, because we employ manual review in our add-ons store – another measure we take to protect users.
The media that reported on this seem to focus on the vulnerability itself rather than on the work that was done to fix it quickly and safely and the fact that it no longer exists. In truth, however, it is standard security practice to identify, fix, and disclose such vulnerabilities before malicious actors have a chance to exploit them. Software, and subsequently users, are safer as a result.
If you notice any vulnerabilities in Opera, please reach out to us – you can find information on how to do that here. We also have a bug bounty program, which you can check out here. And of course, make sure to have the latest updates in your software installed – this is the best way to ensure you are protected!
As always, stay safe out there!