Guardio Labs Discovers Vulnerability in Opera Browser
/ 4 min read
Quick take - Guardio Labs has discovered a significant vulnerability in the Opera browser, named “CrossBarking,” which allows malicious extensions to exploit permissive Private APIs, potentially leading to actions such as screen capturing and account hijacking, prompting Opera to implement a fix following the disclosure.
Fast Facts
- Guardio Labs discovered a critical vulnerability in the Opera browser, named “CrossBarking,” allowing malicious extensions to exploit permissive Private APIs for actions like screen capturing and account hijacking.
- The vulnerability was demonstrated by creating a malicious extension that bypassed security measures and was placed in the official Chrome Store, potentially affecting millions of users.
- Opera’s use of special web apps with unique privileges raises security concerns, as these can access Private APIs that allow for significant manipulation of browser settings and user data.
- Guardio Labs showcased the exploit by changing a victim’s DNS settings through a crafted extension, highlighting the ease of creating malicious extensions that can evade detection.
- Opera has since removed third-party domain privileges and implemented fixes, emphasizing the importance of collaboration with researchers to enhance browser security.
Critical Vulnerability Discovered in Opera Browser
Guardio Labs has identified a critical vulnerability in the Opera browser, which allows malicious extensions to exploit permissive Private APIs. This vulnerability enables actions such as screen capturing, browser setting modifications, and account hijacking.
Discovery of “CrossBarking”
The discovery, named “CrossBarking,” follows Guardio Labs’ earlier identification of a similar issue, MyFlaw, highlighting ongoing challenges in browser security. Guardio Labs’ research team demonstrated the ease of bypassing extension store security measures by adopting a ‘black hat’ approach. Using a free email account and AI-generated content, they created a fully operational malicious extension exploiting this vulnerability. This extension was then placed in the official Chrome Store, creating a cross-browser-store attack that could potentially reach millions of unsuspecting users worldwide.
The case study illustrates the clash between productivity and security and provides insight into the tactics used by modern threat actors. Modern websites function like applications, running code directly in browsers. To ensure security, browsing contexts must be sandboxed, isolated from the rest of the system.
The Role of Private APIs
Chromium’s design includes specific APIs that website code uses to interact with browsers and systems outside of the sandbox. These APIs provide a controlled environment for features like autocomplete, cookie management, and secure payments. However, when custom web apps or browser features require unique capabilities, Private APIs come into play.
The Opera Browser employs special web apps under specific domains with unique privileges to support features like Opera Flow, Opera Wallet, and Pinboard. These domains can access special Private APIs embedded in Opera’s native code. The list of domains with special privileges includes Opera’s primary domain, subdomains, and several third-party domains for toolbar integrations. Even Opera’s internal development domains are included in the production version of the browser and are publicly reachable.
An example of this method is Opera’s pinboard feature, which allows users to pin websites and other items into virtual boards. The browser takes screenshots of pinned websites using a special Private API created for this feature. This method is common among Chromium-based products to deliver advanced user experiences. However, hard-coded domains with over-permissive access raise security concerns.
Exploitation and Response
Security researchers might consider using an XSS (Cross-Site Scripting) vulnerability to inject custom code into pages behind permissive domains and call those APIs. Other methods include finding “left-over” domains with permissions or forcefully taking over domains. Browser extensions are inherently powerful, automatically granted special permissions upon installation. They can monitor and modify every website visited or network activity created.
Guardio Labs created a proof of concept extension to activate permissive APIs. Accessible APIs include those for extracting session cookies, hijacking accounts, and taking screenshots of open tabs. Some APIs can be part of a wider attack flow, such as disabling security-related extensions or changing browser settings. As a proof of concept, Guardio Labs changed the browser’s DNS over HTTPS settings, allowing attackers to spy on activity, manipulate page content, and display phishing pages.
Guardio Labs packaged the exploit in a real extension and added it to the official extension store. Opera’s extension store is curated and manually reviews all extensions, unlike the semi-automated operations of the Google Chrome Store. However, Opera allows installing extensions from Google’s Chrome Store if not found on their store. Guardio Labs created a puppy-themed extension to demonstrate the exploit, which was quickly coded and approved within 24 hours.
The exploit was disclosed to Opera, which deployed a fix on September 24, 2024, removing third-party domain privileges and initiating a refactoring of features to eliminate the vulnerable flow. Guardio Labs continues to combat threats by unveiling new mitigation strategies and developing advanced detection methods. Opera’s official statement emphasizes the importance of working with third-party researchers to identify vulnerabilities and fix them before exploitation.
Original Source: Read the Full Article Here
