Opera GX mod flaw raises data theft alarm

A browser flaw in Opera GX allowed hostile websites to silently install customisation mods and use them to extract data from pages visited by a signed-in user, exposing a weakness in how browser styling features can be turned into cross-site surveillance tools.

The vulnerability, now patched, affected the gaming-focused Opera GX browser and centred on its GX Mods feature, which lets users customise themes, wallpapers, sounds and website appearance. Security researchers zhero and inzo found that a malicious site could trigger the automatic installation of a crafted mod without a permission prompt, then use the mod’s Cascading Style Sheets to probe information on other pages loaded by the victim.

Opera has fixed the issue in Opera GX version 130.0.5847.89 and later. Users running older builds have been urged to update the browser and check their version through the browser’s about page. No CVE identifier has been assigned, but the flaw was treated as a top-severity issue after review and drew a $5,000 critical-level bounty.

ADVERTISEMENT

The proof of concept showed that a victim’s Gmail address could be reconstructed after a single visit to an attacker-controlled page. The attack did not require the user to click an installation button, approve a pop-up or grant an extension permission. Once the page loaded, a hidden frame could point the browser to a malicious. crx package, causing Opera GX to download and enable the mod automatically.

The finding is significant because GX Mods are designed as lightweight cosmetic packages rather than full browser extensions. They do not run JavaScript and do not carry conventional extension permissions. The risk emerged from their ability to apply CSS broadly across pages, giving attacker-controlled styling rules a reach that ordinary page-level CSS injection would not have.

The researchers described the technique as a universal CSS injection leading to an XS-Leak, or cross-site leak. CSS cannot directly read a webpage like JavaScript can, but it can make conditional network requests when selectors match specific attributes in a page’s markup. By creating large sets of selectors that test whether a value begins with, ends with or contains certain character combinations, an attacker can infer data piece by piece.

The Gmail demonstration used trigrams, or three-character sequences, to reconstruct an address. Earlier tests using four-character combinations required more than 5.6 million CSS rules and produced a stylesheet of about 880 MB, which the browser could not process reliably. The workable method used 151,959 CSS rules, reducing the load while keeping enough overlap to rebuild the address from fragments.

The attack chain relied on a short redirection sequence. After the victim arrived at the malicious website, the GX Mod installed within seconds. The browser displayed a notification bar saying a mod had been added, with an option to remove it, but the page could redirect the user to a target account page before the warning could realistically be acted on. The mod’s CSS then triggered requests to an attacker-controlled server as the target page rendered.

ADVERTISEMENT

Opera said its investigation found no evidence that the flaw had been exploited in the wild. The company also said the attack required specific circumstances, including a user visiting a specially prepared website and leaving the newly added mod in place long enough for the redirection and data extraction to occur. The researchers’ demonstration, however, showed that those steps could be compressed into a zero-click sequence once the victim reached the hostile page.

The same automatic installation pathway also exposed a denial-of-service problem. When a. crx file was forced through the extension installation pipeline in private browsing mode, the browser could crash and lose open tabs. That behaviour affected both Opera GX and the standard Opera browser, even though the full data-exfiltration method was tied to GX Mods.

The flaw also highlights a wider issue for browser makers as customisation, gaming overlays, AI assistants and productivity add-ons become part of the browser experience. Features that appear cosmetic may still interact with trusted web content in ways that expand the attack surface. Security researchers have warned for years that extensions and extension-like systems require careful isolation because they may sit outside normal same-origin protections that restrict webpages from reading each other’s data.



Notice an issue?

Arabian Post strives to deliver the most accurate and reliable information to its readers. If you believe you have identified an error or inconsistency in this article, please don't hesitate to contact our editorial team at editor[at]thearabianpost[dot]com. We are committed to promptly addressing any concerns and ensuring the highest level of journalistic integrity.


ADVERTISEMENT
Social Media Auto Publish Powered By : XYZScripts.com