Home Science & TechSecurity Opera Browser Fixes Big Security Hole That Could Have Exposed Your Information

Opera Browser Fixes Big Security Hole That Could Have Exposed Your Information

by ccadm


A now-patched security flaw in the Opera web browser could have enabled a malicious extension to gain unauthorized, full access to private APIs.

The attack, codenamed CrossBarking, could have made it possible to conduct actions such as capturing screenshots, modifying browser settings, and account hijacking, Guardio Labs said.

To demonstrate the issue, the company said it managed to publish a seemingly harmless browser extension to the Chrome Web Store that could then exploit the flaw when installed on Opera, making it an instance of a cross-browser-store attack.

“This case study not only highlights the perennial clash between productivity and security but also provides a fascinating glimpse into the tactics used by modern threat actors operating just below the radar,” Nati Tal, head of Guardio Labs, said in a report shared with The Hacker News.

Cybersecurity

The issue has been addressed by Opera as of September 24, 2024, following responsible disclosure. That said, this is not the first time security flaws have been identified in the browser.

Earlier this January, details emerged of a vulnerability tracked as MyFlaw that takes advantage of a legitimate feature called My Flow to execute any file on the underlying operating system.

The latest attack technique hinges on the fact that several of Opera-owned publicly-accessible subdomains have privileged access to private APIs embedded in the browser. These domains are used to support Opera-specific features like Opera Wallet, Pinboard, and others, as well as those that are used in internal development.

The names of some of the domains, which also include certain third-party domains, are listed below –

  • crypto-corner.op-test.net
  • op-test.net
  • gxc.gg
  • opera.atlassian.net
  • pinboard.opera.com
  • instagram.com
  • yandex.com

While sandboxing ensures that the browser context remains isolated from the rest of the operating system, Guardio’s research found that content scripts present within a browser extension could be used to inject malicious JavaScript into the overly permissive domains and gain access to the private APIs.

“The content script does have access to the DOM (Document Object Model),” Tal explained. “This includes the ability to dynamically change it, specifically by adding new elements.”

Armed with this access, an attacker could take screenshots of all open tabs, extract session cookies to hijack accounts, and even modify a browser’s DNS-over-HTTPS (DoH) settings to resolve domains through an attacker-controlled DNS server.

Cybersecurity

This could then set the stage for potent adversary-in-the-middle (AitM) attacks when victims attempt to visit bank or social media sites by redirecting them to their malicious counterparts instead.

The malicious extension, for its part, could be published as something innocuous to any of the add-on catalogs, including the Google Chrome Web Store, from where users could download and add it to their browsers, effectively triggering the attack. It, however, requires permission to run JavaScript on any web page, particularly the domains that have access to the private APIs.

With rogue browser extensions repeatedly infiltrating the official stores, not to mention some legitimate ones that lack transparency into their data collection practices, the findings underscore the need for caution prior to installing them.

“Browser extensions wield considerable power — for better or for worse,” Tal said. “As such, policy enforcers must rigorously monitor them.”

“The current review model falls short; we recommend bolstering it with additional manpower and continuous analysis methods that monitor an extension’s activity even post-approval. Additionally, enforcing real identity verification for developer accounts is crucial, so simply using a free email and a prepaid credit card is insufficient for registration.”

Update

When reached for comment, Opera shared the following statement with The Hacker News –

The vulnerability in question was discovered as part of our ongoing work with third-party researchers to identify security flaws and fix them before they have had a chance to be exploited by bad actors. Responsible disclosure is a best practice in cybersecurity, helping software providers stay ahead of threats and allowing researchers to raise awareness about these important issues.

It’s important to note that the vulnerability that Guardio identified could put a user at risk of attack if they were tricked into installing a malicious extension from outside Opera’s Add-ons Store. The extension that Guardio came up with to perform the attack was hosted in a third-party store because Opera’s Add-ons Store applies exclusively manual review of all extensions hosted in it, specifically to stop such malicious extensions from reaching users. This highlights the importance of a robust review process but also a secure infrastructure in browser extension stores, and the power extensions can wield.

There is no evidence of this particular scenario actually occurring in the wild, and to our and Guardio’s knowledge, no Opera users have actually been subjected to this attack. We would like to thank Guardio’s team for this collaboration, which demonstrates how responsible disclosure is a key piece of the software security puzzle and helps keep users safe.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.





Source link

Related Articles