Opera Web Browser Resolves Significant Security Vulnerability That Could Have Exposed Your Data
An addressed security vulnerability in the Opera web browser could have empowered a malicious extension to obtain unauthorized, complete access to private APIs.
The exploit known as CrossBarking had the potential to perform tasks like capturing screen images, altering browser configurations, and hijacking accounts, as noted by Guardio Labs.
To exhibit the concern, the firm illustrated how it managed to release an apparently innocuous browser extension on the Chrome Web Store which could then exploit the vulnerability upon installation in Opera, marking it as an example of cross-browser-store manipulation.
“This case study not only emphasizes the perpetual conflict between efficiency and security but also offers an intriguing peek into the strategies employed by contemporary threat actors operating just beneath the notice,” Nati Tal, the head of Guardio Labs, mentioned in a report conveyed to The Hacker News, available here.
The concern has been resolved by Opera as of September 24, 2024, following responsible disclosure. Despite this, various security loopholes have previously been detected in the browser.
Earlier this year in January, specifics emerged about a vulnerability named MyFlaw exploiting a legitimate feature known as My Flow to execute any file on the underlying OS.
The latest invasive strategy relies on the fact that several Opera-owned publicly-accessible subdomains possess privileged access to private APIs embedded within the browser. These domains serve to assist Opera-specific functions like Opera Wallet, Pinboard, among other utilities, along with those leveraged in internal development.
The titles of some of these domains, which also encompass specific third-party domains, are provided below –
- crypto-corner.op-test.net
- op-test.net
- gxc.gg
- opera.atlassian.net
- pinboard.opera.com
- instagram.com
- yandex.com
Despite sandboxing to maintain the browser context isolated from the OS, Guardio’s research discovered that content scripts within a browser extension could infuse malevolent JavaScript into the excessively permissive domains to access private APIs.
“The content script has DOM (Document Object Model) access,” Tal elaborated. “This encompasses dynamically altering it, particularly by introducing new elements.”
With this capability, a hacker could capture screenshots of all visible tabs, extract session cookies to hijack profiles, and even modify a browser’s DNS-over-HTTPS (DoH) preferences to resolve domains via a DNS server under their control.
This could pave the way for potent adversary-in-the-middle (AitM) assaults when individuals endeavor to visit financial or social media portals by rerouting them to manipulated versions instead.
The malevolent extension, on the other hand, could be disseminated as a seemingly harmless tool through any of the extension repositories, including the Google Chrome Web Store, where users could install it, leading to the exploitation. However, it necessitates consent to execute JavaScript on any web page, notably those domains with access to private APIs.
By reason of renegade browser add-ons recurrently breaching official repositories, not to mention certain genuine ones lacking clearness regarding their data aggregation protocols, the revelations emphasize the need for circumspection before their installation.
“Browser extensions possess substantial authority — for better or worse,” Tal declared. “Thus, regulatory entities must scrutinize them vigilantly.”
“The current evaluation process falls short; we advocate fortifying it with more personnel and ongoing evaluation methods that track an extension’s operations even post-approval. Moreover, enforcing genuine identity validation for developer accounts proves indispensable, as mere reliance on a free email and prepaid credit card is inadequate for registration.”
About Author
