Opera browser had a major security flaw that could have exposed all your details, so patch now

An add-on could inject malicious JavaScript to overly permissive APIs

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Opera has fixed a worrying security vulnerability, which could have allowed threat actors to access permissive APIs in thebrowser, and thus take over accounts, tweak browser settings, and even take screenshots.

Cybersecurity researchers GuardioLabs disclosed their findings, and dubbed the vulnerability “CrossBarking”.

The flaw revolves around the fact that multiple Opera-owned, publicly accessible subdomains, have privileged access to private APIs embedded within thebrowser. These domains support different features of the browser, such as the Pinboard, Opera Wallet, and others. By abusing browser extensions, crooks could injectmaliciousJavaScript into these domains, and thus gain access to the APIs.

Malicious extensions

“The content script does have access to the DOM (Document Object Model),” the researchers explained in a blog post. “This includes the ability to dynamically change it, specifically by adding new elements.”

Access to the APIs then allow crooks to screenshot open tabs, pull session cookies to access different accounts, and modify the browser’s DNS-over-HTTPS settings to resolve domains through malicious DNS servers. This, the researchers further explain, could lead to victims opening fake bank sites and losing banking credentials.

To demonstrate that the vulnerability works, GuardioLabs published a small browser extension to theGoogleChrome Web Store. From there, an Opera browser user picks it up and compromises their device. The silver lining here is that the extension requires permission to run JavaScript on any web page, and particularly those that have access to private APIs.

Luckily, Opera has already addressed the issue and fixed the flaw in version 113.0.5230.132, so make sure to update your browser to avoid any unnecessary risk.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Being omnipresent, browsers are an extremely popular target for cybercriminals. The most popular products, such as Chrome, Firefox, Sarafi, Opera, or Edge, are generally considered safe, but addons are a different story, since many are developed by third parties and don’t necessarily have the same approach to cybersecurity as the browser makers themselves.

Edit, November 1 -

Commenting on GuardioLabs' findings, an Opera spokesperson clarified that the attack is not easy to pull off and stressed the importance of manually reviewing add-ons in the store.

“The avenue of attack is not straightforward at all and would not be able to affect a large number of users,” the representative told us. “That’s because it relies on the user installing and giving permission to a malicious extension - which is not even available in Opera’s add-on store. So the user has to go to Chrome’s web store to find and install the extension.”

The spokesperson basically threw Google a curveball, saying an extra layer of protection here is that all add-ons in the Opera store are manually reviewed before being offered for download.

“Such an extension would never have made it past manual review in Opera’s add-on store. Today, we are the only add-on store operator applying manual review to all extensions, specifically to stop such malicious extensions from coming through,” they concluded.

ViaThe Hacker News

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

This new phishing strategy utilizes GitHub comments to distribute malware

Should your VPN always be on?

Arcane season 2 act 1 ending explained: who is [SPOILER], when is episode 4 coming out, and your biggest questions answered