The vulnerability, now patched, affected the gaming-focused Opera GX browser and centred on its GX Mods feature, which lets users customise themes, wallpapers, sounds and website appearance. Security researchers zhero and inzo found that a malicious site could trigger the automatic installation of a crafted mod without a permission prompt, then use the mod’s Cascading Style Sheets to probe information on other pages loaded by the victim.
Opera has fixed the issue in Opera GX version 130.0.5847.89 and later. Users running older builds have been urged to update the browser and check their version through the browser’s about page. No CVE identifier has been assigned, but the flaw was treated as a top-severity issue after review and drew a $5,000 critical-level bounty.
The proof of concept showed that a victim’s Gmail address could be reconstructed after a single visit to an attacker-controlled page. The attack did not require the user to click an installation button, approve a pop-up or grant an extension permission. Once the page loaded, a hidden frame could point the browser to a malicious. crx package, causing Opera GX to download and enable the mod automatically.
The finding is significant because GX Mods are designed as lightweight cosmetic packages rather than full browser extensions. They do not run JavaScript and do not carry conventional extension permissions. The risk emerged from their ability to apply CSS broadly across pages, giving attacker-controlled styling rules a reach that ordinary page-level CSS injection would not have.
The researchers described the technique as a universal CSS injection leading to an XS-Leak, or cross-site leak. CSS cannot directly read a webpage like JavaScript can, but it can make conditional network requests when selectors match specific attributes in a page’s markup. By creating large sets of selectors that test whether a value begins with, ends with or contains certain character combinations, an attacker can infer data piece by piece.
The Gmail demonstration used trigrams, or three-character sequences, to reconstruct an address. Earlier tests using four-character combinations required more than 5.6 million CSS rules and produced a stylesheet of about 880 MB, which the browser could not process reliably. The workable method used 151,959 CSS rules, reducing the load while keeping enough overlap to rebuild the address from fragments.
The attack chain relied on a short redirection sequence. After the victim arrived at the malicious website, the GX Mod installed within seconds. The browser displayed a notification bar saying a mod had been added, with an option to remove it, but the page could redirect the user to a target account page before the warning could realistically be acted on. The mod’s CSS then triggered requests to an attacker-controlled server as the target page rendered.
Opera said its investigation found no evidence that the flaw had been exploited in the wild. The company also said the attack required specific circumstances, including a user visiting a specially prepared website and leaving the newly added mod in place long enough for the redirection and data extraction to occur. The researchers’ demonstration, however, showed that those steps could be compressed into a zero-click sequence once the victim reached the hostile page.
The same automatic installation pathway also exposed a denial-of-service problem. When a. crx file was forced through the extension installation pipeline in private browsing mode, the browser could crash and lose open tabs. That behaviour affected both Opera GX and the standard Opera browser, even though the full data-exfiltration method was tied to GX Mods.
The flaw also highlights a wider issue for browser makers as customisation, gaming overlays, AI assistants and productivity add-ons become part of the browser experience. Features that appear cosmetic may still interact with trusted web content in ways that expand the attack surface. Security researchers have warned for years that extensions and extension-like systems require careful isolation because they may sit outside normal same-origin protections that restrict webpages from reading each other’s data.
Follow Arabian Post
Select Arabian Post as your preferred source on Google and MSN News for trusted business news and Arab politics and updates.