Guardio Labs Exposes Critical Zero-Day Flaw in Opera Browser

Security researchers from Guardio Labs uncovered a significant oversight in Opera’s web browser for Windows and macOS, which allows cybercriminals to launch any file, including malicious ones, on the computer’s base operating system.

The vulnerability, dubbed “MyFlaw” (a play on words with “My Flow,” a feature that syncs messages and files between mobile and desktop devices), is executed using a hacker-controlled browser extension. This effectively bypasses the browser’s sandbox and working process, impacting both regular and Opera GX versions.

My Flow features a chat-like interface for transferring notes and files between smartphones and desktop computers. However, files from this chat can be executed directly through the web browser interface, bypassing browser security.

The operation of My Flow is powered by the “Opera Touch Background” extension, which facilitates communication with its mobile counterpart. The extension contains its manifest file, detailing its behavior and required permissions, including the “externally_connectable” property.

Domains allowed to communicate with the extension should match patterns controlled by the browser developer. Yet, Guardio Labs found a “forgotten” version of the My Flow start page on the “web.flow.opera.com” domain, lacking a content security policy tag but containing a script tag invoking a JavaScript file without integrity checks.

“This is exactly what an attacker needs — an unsafe, forgotten, vulnerable to code injection asset, and most importantly — has access to (very) high permission native browser API!, states the Guardio Labs report.

The attack chain involves a hacker-created extension, disguised as a mobile device, communicating with the victim’s computer and transmitting encrypted malicious code through a modified JavaScript file, activated by a simple user click.

Researchers highlight that even in isolated environments, extensions can become potent tools for hackers, enabling them to steal information and breach browser security boundaries.

Opera representatives addressed the vulnerability on November 22, 2023, just five days after its disclosure. Developers also implemented server-side fixes and took steps to prevent similar future issues. Public disclosure was delayed for security reasons, ensuring widespread user access to the necessary updates.