391/67 Tuesday, November 5, 2024
A critical vulnerability has been discovered in the Opera web browser, which could allow malicious extensions to gain unauthorized access to private APIs, potentially leading to account takeovers and other severe security risks. This vulnerability, named “CrossBarking” by researchers at Guardio Labs, was patched on September 24, 2024, following a responsible disclosure to Opera.
The issue stemmed from Opera’s use of special web apps on designated domains, which have privileged access to features like Opera Flow, Opera Wallet, and Pinboard. These web apps can interact with APIs embedded in Opera’s core code. Researchers found that malicious extensions could exploit this vulnerability to inject code into these domains, bypassing Opera’s security measures.
Guardio Labs demonstrated this vulnerability by creating a prototype puppy-themed extension that, despite appearing harmless, could execute malicious code on Opera’s vulnerable domains once installed from the Chrome Web Store. The attack allowed for actions such as taking screenshots of open tabs, extracting session cookies, and even modifying DNS-over-HTTPS settings, potentially leading to man-in-the-middle attacks. Researchers noted that exploiting this vulnerability was relatively easy, as attackers could upload a sample extension to the Chrome Web Store, which is accessible by Opera. This allowed them to bypass Opera’s stringent extension review process.
Source https://cybersecuritynews.com/opera-browser-0-day-flaw/