Hi Opera users!

Over time, we have shared details about how we approach security vulnerabilities, and especially how we work with external security researchers to identify and fix them before they have a chance to be exploited by bad actors. This is called responsible disclosure and it is a best practice in cybersecurity, helping software providers stay ahead of threats and allowing researchers to showcase their good work and raise awareness around cybersecurity challenges. 

Recently, we collaborated with cybersecurity researcher Guardio on a vulnerability that depends on the user installing a malicious extension in the browser from outside Opera’s Add-ons Store. This is a very specific scenario that limits the number of users that could be affected because it relies on users being tricked into downloading a malicious extension from a third party store – where Opera cannot vouch for the integrity of extensions.

Nevertheless, the attack exploited a weakness in our own add-on infrastructure, so it was imperative to fix the vulnerability promptly. Our team collaborated with Guardio to address this and the fix was deployed on September 24, 2024. To our knowledge, no Opera user had been affected by this vulnerability before it was patched.

How the vulnerability worked

The vulnerability took advantage of the way web apps access Private APIs within the browser to power special features. This is a standard process in browsers as they get more powerful and are able to provide more functionality to users.

Guardio discovered that a malicious extension could potentially exploit this process. They successfully published such an extension on the Chrome Web Store, disguising it as a friendly-looking app. How friendly-looking? It promised to place a puppy on every web page the user visited – just to make it that much more irresistible! 

From there, a user would have to be tricked into opening themselves up to attack by:

• Downloading and installing the extension in Opera from the Chrome Web Store
• Confirming they were OK with Opera’s warning that the extension comes from outside Opera’s Add-ons Store and as such has not been reviewed by Opera

Why manual review of extensions matters

Why did Guardio’s attack method require publishing an extension on the Chrome Web Store instead of Opera’s own Add-ons Store? That’s because Opera’s Add-ons Store is unique in applying exclusively manual review of all extensions hosted in it – specifically to stop such malicious extensions from ever reaching users. 

Although Opera users can install extensions from third-party extension stores, it’s not possible for us to control the security of extensions published in such stores. We typically recommend using our own Add-ons Store, where each extension has been thoroughly checked by humans before being allowed in.

Following Guardio’s findings, our team collaborated with them to fix the vulnerability. As a next step, we will also be reviewing the way that web app features are enabled in the browser to avoid similar issues in the future. 

If you notice any vulnerabilities in Opera, you can reach out to us – find information on how to do that here. We also have a bug bounty program, which you can check out here. And of course, make sure to have the latest updates in your software installed – this is the best way to ensure you are protected!

As always, stay safe out there!

---