The widely-used Chromium-based browser, Opera, faced a security loophole enabling hackers to install files on Windows and macOS systems. Guardio Labs cybersecurity researchers discovered this vulnerability, promptly alerting and collaborating with the browser’s developers to address the issue.
Guardio Labs’ technical analysis attributes the flaw to My Flow, an inherent feature in the browser. This feature relies on Opera Touch Background, an extension bundled with the browser that cannot be technically uninstalled.
Exploiting a Landing Page
My Flow facilitates seamless note-taking and file-sharing between the desktop and mobile versions of the browser, aligning with the growing trend for unified desktop and mobile experiences. Unfortunately, this convenience opens a door to security risks.
The researchers highlight a critical flaw: the chat-like interface adds an “OPEN” link to any file-attached message, enabling immediate execution from the web interface. This suggests the webpage can interact with the system API, executing files outside the browser’s usual confines, devoid of sandbox or limits.
Another significant factor is My Flow’s ability to connect with specific web pages and extensions. Guardio Labs struck gold when they stumbled upon a “long-forgotten” version of the My Flow landing page on web.flow.opera.com, lacking crucial security measures.
Though visually similar to the current version, the forgotten page lacks a content security policy meta tag and includes a script tag calling for a JavaScript file without integrity checks. This vulnerability provides an avenue for code injection, granting access to high-permission native browser APIs.
In essence, a threat actor could craft an extension mimicking a mobile device, establishing a connection with the victim’s computer. By dropping an encrypted malicious code through a modified JavaScript file, the attacker tricks the user into running it with a simple click anywhere on the screen.
(Source: TheHackerNews)
