A critical security flaw, now patched, in the Opera web browser previously opened the door for malicious browser extensions to potentially gain full, unauthorized access to private APIs.
Dubbed “CrossBarking,” the vulnerability allowed for actions like screen capture, browser setting manipulation, and even account hijacking, according to Guardio Labs.
To demonstrate the potential risk, Guardio developed a seemingly benign extension, successfully uploading it to the Chrome Web Store. Upon installation in Opera, the extension exploited this flaw, highlighting what’s termed a cross-browser-store vulnerability.
“This case study not only reveals the longstanding tension between productivity and security but also gives a rare view into the subtleties of modern cyber threats that often fly under the radar,” commented Nati Tal, head of Guardio Labs, in a report shared with The Hacker News.
Opera addressed the vulnerability on September 24, 2024, following responsible disclosure. This isn’t the first security concern flagged for the browser; in January, another vulnerability—referred to as “MyFlaw”—surfaced. That issue took advantage of a feature called My Flow, exploiting it to execute any file on the host operating system.
The latest technique relied on the fact that various Opera-managed subdomains have privileged API access within the browser, supporting Opera-exclusive tools like Opera Wallet and Pinboard, among others.
Listed below are some of these domains, including third-party entries:
- crypto-corner.op-test.net
- op-test.net
- gxc.gg
- opera.atlassian.net
- pinboard.opera.com
- instagram.com
- yandex.com
While the browser’s sandboxing typically insulates it from the broader operating system, Guardio’s research revealed that content scripts embedded within extensions could inject malicious JavaScript into the domains, thus obtaining unauthorized access to private APIs.
“The content script interacts with the Document Object Model (DOM),” Tal explained, “enabling it to modify this environment, including inserting new elements dynamically.”
With such access, an attacker could capture screenshots of open tabs, steal session cookies to hijack accounts, and even alter a browser’s DNS-over-HTTPS (DoH) settings, rerouting connections through attacker-controlled DNS servers.
This setup could pave the way for adversary-in-the-middle (AitM) attacks, redirecting users to malicious replicas of trusted sites like online banking or social platforms.
This kind of malicious extension could easily appear in an innocuous guise on any extension marketplace, including the Google Chrome Web Store, waiting for unsuspecting users to install it. However, it would require permission to execute JavaScript on all web pages, especially on those with private API access.
Given the continued infiltration of rogue extensions in official stores, alongside transparency issues with some legitimate ones, Guardio’s findings emphasize the need for caution when installing new extensions.
“Browser extensions wield significant power—both beneficial and detrimental,” noted Tal. “Therefore, regulatory bodies must closely scrutinize them.”
Tal recommended enhancing the current review protocols with additional personnel and ongoing monitoring of an extension’s behavior even after approval. Further, enforcing verified developer identities, rather than just allowing simple credentials like free emails or prepaid credit cards, would elevate security during registration.
