Per Infosecurity Magazine, a vulnerability discovered in the Opera GX browser could allow malicious websites to automatically install customization mods and use them to steal data from other sites visited by a user, without requiring any interaction.The vulnerability, found by security researcher zhero_web_security, allows for a zero-click cross-site leak (XS-Leak) by exploiting the automatic installation of GX Mods. Unlike typical browser extensions, these mods do not require permission prompts and can be installed simply by downloading their file. This enables attackers to inject CSS across all open tabs and websites, bypassing the usual single-page limitations of CSS injection. The researcher demonstrated that this could be used to exfiltrate data piece by piece, successfully recovering a victim's Gmail address.Additionally, the auto-install behavior could be leveraged for a denial-of-service (DoS) attack. Forcing a mod installation in Incognito mode caused the browser to crash and close all open tabs. Opera patched the flaw on May 8, awarding a $5,000 bounty for the discovery.Source: Infosecurity Magazine
Vulnerability Management
Opera GX browser vulnerability could allow data theft and DoS attacks

(Adobe Stock)
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds



