Close Menu
    What's Hot

    Who was really at Taylor Swift and Travis Kelce’s Madison Square Garden wedding? AI slop makes it hard to tell

    Opinion | Lessons From the Graham Platner Disaster

    Trump Expected to Tell Turkey He Is Ready to Restore Access to F-35 Jets

    Facebook X (Twitter) Instagram
    Trending
    • Who was really at Taylor Swift and Travis Kelce’s Madison Square Garden wedding? AI slop makes it hard to tell
    • Opinion | Lessons From the Graham Platner Disaster
    • Trump Expected to Tell Turkey He Is Ready to Restore Access to F-35 Jets
    • Trump was introduced to red and yellow cards in 2018
    • ICE’s Internal Watchdog Is Now Investigating Online Critics
    • In CNN Interview, Woman Details Alleged Sexual Assault by Graham Platner
    • The California Democrat who says he ‘won’t cheer FIFA’s capitulation to power’
    • Why el-Obeid matters as Sudan’s war enters a new phase | Sudan war News
    interluknewsinterluknews
    • Home
    • Business
      • Corporate News
      • Industry Insights
      • Startups & Entrepreneurship
      • Technology & Innovation
    • Economy
      • Economic Policy
      • Financial Analysis
      • Inflation & Interest Rates
      • Trade & Markets
    • Global
      • Conflicts & Security
      • Diplomacy
      • Global Trends
      • International Affairs
    • Lifestyle
      • Fashion
      • Food & Dining
      • Personal Development
      • Travel
    • Opinion
      • Columns
      • Editorials
      • Expert Opinions
      • Reader Voices
    • More
      • Politics
        • Elections
        • Government & Policy
        • International Relations
        • Political Analysis
      • Sports
        • Cricket
        • Football / Soccer
        • International Sports
        • Local Sports
      • Technology
        • Artificial Intelligence
        • Cybersecurity
        • Gadgets & Reviews
        • Tech News
      • South Africa News
    Facebook X (Twitter) Instagram
    interluknewsinterluknews
    Cybersecurity

    Opera GX Flaw Let Malicious Sites Auto-Install Mods to Steal Data From Visited Pages

    adminBy adminJuly 7, 2026No Comments5 Mins Read
    Share Facebook Twitter Pinterest Copy Link Telegram LinkedIn Tumblr Email
    Opera GX Flaw Let Malicious Sites Auto-Install Mods to Steal Data From Visited Pages
    Share
    Facebook Twitter LinkedIn Pinterest Email

    Opera GX Flaw Let Malicious Sites Auto-Install Mods to Steal Data From Visited Pages

    Researchers found a flaw in Opera GX, the gaming-focused version of the Opera browser, that let a malicious website silently install a browser add-on and use it to lift specific data from the pages a victim visits.

    In a proof of concept, they reconstructed a signed-in user’s full Gmail address from a single visit, with no click. Opera has patched the flaw and says it found no evidence that it was ever used in the wild.

    The fix shipped in Opera GX version 130.0.5847.89, so anyone on a current build is already covered; you can confirm yours at opera://about. There is no CVE.

    Because the attack needed no clicks or approvals, there was no workaround short of the patch. Opera’s bug bounty team rated the issue P1, its top severity, and paid the maximum $5,000 award for a critical bug.

    How the attack works

    GX Mods let you reskin Opera GX with custom sounds, themes, wallpapers, and CSS that restyles the sites you visit. They ship as .crx files, like browser extensions, but they cannot run JavaScript and hold no permissions.

    The weakness is in how they install: Opera’s mod pipeline downloads and enables a mod automatically, with no approval prompt. So a malicious page can install one silently, for instance by loading a hidden iframe pointed at a .crx file.

    Cybersecurity

    The only sign is a notification bar below the address bar telling you a mod was added, with a Remove button.

    This auto-install behavior is not new. The researcher Renwa identified it back in 2023 and, by escalating an installed mod into a full extension, used it to spoof the browser’s address bar. Opera patched that specific attack in March 2023 but left the underlying auto-install in place, which is what this new research builds on.

    A silent look-and-feel mod sounds harmless on its own. But a mod’s CSS is applied to every page you visit, not just one. Ordinary CSS injection is confined to the page it lands on; here, the attacker’s styling reaches every site the browser opens, a technique the researchers call a universal CSS injection.

    CSS cannot read a page and send it off on its own. But it can be coaxed into leaking a value one piece at a time. The trick relies on attribute selectors: a rule can test whether an element’s attribute value, like an email tucked into a hidden field, begins with a given letter, and fetch a background image from the attacker’s server only when it does. Fire enough of these, and you learn the value character by character.

    Researchers call this an XS-Leak, short for cross-site leak. To pull a Gmail address, the researchers aimed this at a Google account page, myaccount.google.com/contactemail, that carries the address inside three of its HTML attributes.

    They packed a mod with roughly 150,000 CSS rules, one set for every possible three-letter piece of the address, and let a reconstruction script stitch the matches back together. They first tried four-letter pieces, which needed 5.6 million rules and about 880 MB of CSS. The browser choked, so they scaled down to three-letter chunks that overlap just enough to reassemble.

    Chaining it together took only a nudge. The victim lands on the attacker’s page, the mod installs within seconds, and a few lines of JavaScript then redirect the browser to the Google account page. The mod’s CSS is already loaded there, so it fires the requests and leaks the address as the page renders, before the victim can reach the notice’s Remove button.

    The Gmail address was just the proof of concept; the same approach can lift other values a page exposes in its markup, like a username.

    The same auto-install path has a second, cruder use the researchers documented: loading a .crx while in private (Incognito) mode crashes the browser and dumps every open tab. This one hits regular Opera too, not just Opera GX, since any .crx trips the extension-install pipeline, whatever it contains. Opera’s advisory addresses the data-theft fix and does not mention the crash.

    Severity and the bigger picture

    The report almost did not get its due. Opera runs its bounty program on Bugcrowd, and the triage analysts struggled to grasp what the bug did, first rating it a middling P3.

    The researchers made their case in an unusually direct way: while an analyst was reproducing the attack, they caught the analyst’s own trigrams, rebuilt the analyst’s Gmail address, and pasted it into the report. Opera’s team then raised the severity to P1 and paid the $5,000 critical-tier maximum.

    Cybersecurity

    Opera’s own account is more measured. In its advisory, the company says it is “quite confident” the flaw was never exploited in the wild, and frames the attack as complicated to pull off: the victim had to land on a malicious site, end up with a fresh mod, and ignore the removal notice long enough for the redirect to fire.

    The researchers’ demo is the counterweight. Their redirect runs in the seconds before a user can even read the notice, let alone click Remove. It was a narrow, fiddly attack that Opera found no trace of in the wild, and it still worked with zero clicks once it was set up.

    The risk here was never the cosmetic feature by itself. It was reach. Once a mod’s CSS could follow you from one site to the next, “just styling” turned out to be plenty.

    That is the twist on a familiar idea: CSS-only theft usually stays trapped on the page where it is injected, as in PortSwigger’s Blind CSS Exfiltration research, but here it rode along on every site the victim opened.

    It is also not the first Opera feature turned against its users; The Hacker News covered the 2024 MyFlaw bug in Opera’s My Flow, and Opera had been warned about this very auto-install behavior since 2023.

    AutoInstall data flaw malicious Mods opera Pages sites steal visited
    Follow on Google News Follow on Flipboard
    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email Copy Link
    Previous ArticleThe latest Pringles release has people asking the same question: Why?
    Next Article Wimbledon: Britain’s Arthur Fery on ‘incredible’ moment of having Roger Federer watch his Centre Court debut as he reaches quarter-finals | Tennis News
    admin
    • Website

    Related Posts

    Threat Actors Probe Gitea Docker Flaw CVE-2026-20896 13 Days After Disclosure

    July 6, 2026

    Iran-Linked Hackers Use New Cavern C2 Framework to Target Israeli Organizations

    July 6, 2026

    16-Year-Old Linux KVM Flaw Lets Guest VMs Escape to Host on Intel and AMD x86 Systems

    July 6, 2026
    Leave A Reply Cancel Reply

    Demo
    Latest Posts

    Who was really at Taylor Swift and Travis Kelce’s Madison Square Garden wedding? AI slop makes it hard to tell

    Opinion | Lessons From the Graham Platner Disaster

    Trump Expected to Tell Turkey He Is Ready to Restore Access to F-35 Jets

    Trump was introduced to red and yellow cards in 2018

    Latest Posts

    Subscribe to News

    Get the latest sports news from NewsSite about world, sports and politics.

    Advertisement
    Demo

    We are a digital news platform delivering timely, accurate, and insightful coverage of politics, global affairs, business, economy, sports, and more. Our mission is to keep readers informed with reliable news, clear analysis, and stories that truly matter.
    We're social. Connect with us:

    Facebook X (Twitter) Instagram Pinterest YouTube

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    Type above and press Enter to search. Press Esc to cancel.

    Powered by
    ...
    ►
    Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
    None
    ►
    Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
    None
    ►
    Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
    None
    ►
    Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
    None
    ►
    Unclassified cookies are cookies that we are in the process of classifying, together with the providers of individual cookies.
    None
    Powered by