Cybersecurity researchers have revealed a security flaw in the Opera web browser for Microsoft Windows and Apple macOS that can be exploited to execute any file on the underlying operating system.
The Guardio Labs research team codenamed the remote code execution vulnerability MyFlaw because it exploits a feature called My Flow that synchronizes messages and files between mobile and desktop devices.
“This is accomplished via a controlled browser extension, effectively bypassing the browser’s sandbox and the entire browser process,” the company said in a statement shared with The Hacker News.
The problem affects both Opera Browser and Opera GX. Following Responsible Disclosure on November 17, 2023, the issue was resolved as part of an update released on November 22, 2023.
My Flow has a chat-like interface for exchanging notes and files, the latter of which can be opened through a web interface, which means the files can be executed outside the security boundaries of the browser.
It comes pre-installed in the browser and is implemented through a built-in (or internal) browser extension called “Opera Touch Background”, which is responsible for communicating with its mobile counterpart.
This also means that the extension comes with its own manifest file, specifying all necessary permissions and its behavior, including an attribute called externally_connectable that declares which other web pages and extensions can connect to it.
For Opera, the domains that can communicate with extensions should match the patterns “*.flow.opera.com” and “.flow.op-test.net” – both of which are controlled by the browser vendor itself.
“This exposes the messaging API to any page that matches the URL pattern you specify,” Google notes in its documentation. “The URL pattern must contain at least one second-level domain.”
Guardio Labs said it was able to use the urlscan.io website scanning tool to discover a “long-forgotten” version of the My Flow landing page hosted on the “web.flow.opera.com” domain.
“The page itself looks exactly like the one currently in production, but there are a few changes hiding behind the scenes: not only is it missing [content security policy] meta tag, but it also contains a script tag that calls a JavaScript file without any integrity checks,” the company said.
“This is exactly what attackers need – an asset that is insecure, forgotten, vulnerable to code injection attacks, and most importantly, access to (very) high-privilege native browser APIs.”
The attack chain then articulates to create a special extension that pairs with the victim’s computer disguised as a mobile device and delivers an encrypted malicious payload to the host via a modified JavaScript file that prompts the user to click on the screen. anywhere to perform subsequent operations.
The findings highlight the increasing sophistication of browser-based attacks and the different vectors threat actors can exploit to gain an advantage.
“Despite running in a sandbox environment, extensions can still become powerful tools for hackers, allowing them to steal information and breach browser security boundaries,” the company told The Hacker News.
“This highlights the need for internal design changes within Opera and improvements to Chromium infrastructure. For example, it is recommended to disable third-party extension permissions on dedicated production domains, similar to Chrome’s web store, but Opera has not yet implemented it.”
When contacted for comment, Opera said it had acted quickly to close the security vulnerability and implemented a server-side fix, and that it was taking steps to prevent this issue from happening again.
“Our current structure uses HTML standards and is the safest option without breaking critical functionality,” the company said. “After Guardiola alerted us to this vulnerability, we eliminated the cause of these issues and ensured that similar issues do not arise in the future.”
“We would like to thank Guardio Labs for their work in discovering this vulnerability and immediately alerting us. This collaboration demonstrates how we work with security experts and researchers around the world to complement our efforts to maintain and improve product security. efforts and ensure our users have a safe online experience.”
