Full Report
Researchers found a flaw in Opera GX, the gaming-focused version of the Opera browser, that let a malicious website silently install a browser add-on and use it to lift specific data from the pages a victim visits. In a proof of concept, they reconstructed a signed-in user's full Gmail address from a single visit, with no click. Opera has patched the flaw and says it found no evidence that
Analysis Summary
# Vulnerability: Silent Mod Installation and Universal CSS Injection in Opera GX
## CVE Details
- **CVE ID**: None Assigned (Vendor tracked via Bug Bounty as P1)
- **CVSS Score**: N/A (Rated "Critical" by Opera / Bugcrowd P1)
- **CWE**: CWE-352 (Cross-Site Request Forgery - underlying auto-install mechanism) / CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor)
## Affected Systems
- **Products**: Opera GX (Primary); Opera Browser (Secondary impact - crash only)
- **Versions**: Opera GX versions prior to 130.0.5847.89
- **Configurations**: Default installations (feature inherent to "GX Mods" pipeline)
## Vulnerability Description
The vulnerability stems from the Opera GX "Mods" pipeline, which automatically downloads and enables `.crx` mod files without user interaction or approval prompts.
A malicious website can trigger a silent installation of a mod (e.g., via a hidden iframe). Once installed, the mod's CSS is applied globally to every website the user visits. By using "Universal CSS Injection," an attacker can employ **attribute selectors** to perform an **XS-Leak** (Cross-Site Leak). The CSS can be designed to test if sensitive data (like an email address in an HTML attribute) begins with specific characters; if a match is found, the CSS triggers a background-image request to an attacker-controlled server. By chaining these requests, the attacker can reconstruct sensitive data one "trigram" (three-letter chunk) at a time.
## Exploitation
- **Status**: PoC available; confirmed to have been demonstrated to vendor analysts. No evidence of exploitation in the wild.
- **Complexity**: Medium (Requires crafting a high-volume CSS mod and a reconstruction script).
- **Attack Vector**: Network (Web-based, zero-click).
## Impact
- **Confidentiality**: High (Ability to lift sensitive private data from any authenticated web page, such as Gmail addresses or usernames).
- **Integrity**: Low (Can alter the visual look-and-feel of all visited pages).
- **Availability**: Medium (A secondary flaw allows a `.crx` load in private mode to crash the browser).
## Remediation
### Patches
- **Opera GX version 130.0.5847.89** or later contains the fix. Users should verify their version at `opera://about`.
### Workarounds
- There were no effective workarounds prior to the patch because the auto-install behavior required no user clicks or confirmation. Immediate update to the latest version is the only remediation.
## Detection
- **Indicators of Compromise**: Appearance of a notification bar below the address bar stating "A mod was added" with a "Remove" button for a mod the user did not intentionally install.
- **Detection Methods**: Monitoring for unusual high-volume outbound GET requests for background images containing character-based strings (trigrams) from the browser to unknown external domains.
## References
- **Vendor Advisory**: [opera-news.opera.com/gx-mod-security-update (Hypothetical/Not listed in text)]
- **Research/Technical Writeup**: hxxps://zhero-web-sec[.]github[.]io/research-and-things/one-trigram-at-a-time-xsleak-via-universal-css-injection-and-dos-in-opera-(gx)
- **Original Research (2023)**: hxxps://medium[.]com/@renwa/you-are-not-where-you-think-you-are-opera-browsers-address-bar-spoofing-vulnerabilities-aa36ad8321d8