Security researchers have uncovered a critical vulnerability in Opera GX that could allow attackers to inject malicious CSS across every webpage a victim visits.
The issue affects the browser’s GX Mods feature and could be exploited to leak sensitive information from websites without requiring the victim to install a traditional browser extension.
Researchers demonstrated a zero-click attack where simply visiting a malicious webpage could trigger the installation of a harmful browser mod.
How the Attack Works
GX Mods are designed to let users personalize Opera GX by adding themes, sounds, wallpapers, and CSS-based customizations.
Unlike browser extensions, GX Mods do not require special permissions or JavaScript.
Researchers discovered that malicious GX Mods packaged as .crx files can be installed automatically when downloaded through an embedded webpage, requiring little or no user interaction.
After installation, the malicious CSS is applied across every browser tab, allowing attackers to target multiple websites.
Potential Security Risks
Once the malicious CSS is active, attackers can use CSS-based XS-Leaks techniques to infer sensitive information from webpages.
Although CSS cannot directly read confidential data, it can trigger network requests based on specific webpage elements, allowing attackers to gradually leak information.
Researchers demonstrated that attackers could reconstruct data such as email addresses by analyzing small pieces of information collected from the browser.
Possible risks include:
- Cross-site data leakage
- Exposure of sensitive account information
- Privacy violations
- Universal CSS injection across browser tabs
Browser Crash Issue
Researchers also identified a separate denial-of-service (DoS) issue affecting both Opera GX and the standard Opera browser.
Triggering a malicious .crx download while browsing in Incognito Mode could cause the browser to crash and restart, resulting in the loss of the current browsing session.
Patch Available
The vulnerabilities were responsibly disclosed through Opera’s bug bounty program.
Opera has released fixes to address the reported issues, reducing the risk of automatic mod installation and improving the browser’s handling of GX Mods.
Users are encouraged to update to the latest version of Opera GX to ensure they are protected against these vulnerabilities.