Opera found a significant security flaw that could have allowed hackers to run any file they want - but it says everything is now fine (2024)

Opera found a significant security flaw that could have allowed hackers to run any file they want - but it says everything is now fine (1)

UPDATE: Opera has published a response to the reports, claiming that the flaw is no longer active and has been addressed.

"There is no evidence that the vulnerability was ever exploited, and Opera users’ security was never compromised as a result," it said. "It’s also important to note that, as mentioned above, the vulnerability would require the installation of a malicious add-on in order to work. This would be very hard to accomplish on Opera, because we employ manual review in our add-ons store – another measure we take to protect users."

"This vulnerability, which no longer exists, was identified as part of a collaboration with security researchers Guardio Labs, and was subsequently fixed within only five days – as such, Opera users are not at risk."

Opera, a popular Chromium-based browser, was found carrying a vulnerability that would allow hackers to install pretty much any file on both Windows and macOS operating systems.

The vulnerability was discovered by cybersecurity researchers from Guardio Labs, who notified the browser’s developers and helped it plug the hole.

In its technical writeup, Guardio Labs explained that the flaw stemmed from a feature built into the browser, called My Flow. This is a feature built on a browser extension called Opera Touch Background, which comes preinstalled with the browser and technically can’t be removed.

Abusing a landing page

My Flow allows users to take notes and share files between the desktop and mobile versions of the browser. There is a trend among software developers to allow users a seamless transition between desktop and mobile solutions for both work and play. In this case, however, the feature came at the cost of security.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

“The chat-like interface adds an “OPEN” link to any message with an attached file, allowing users to immediately execute the file from the web interface,” the researchers explain. “This indicates that the webpage context can somehow interact with a system API and execute a file from the file system, outside the browser’s usual confines, with no sandbox, no limits.”

The second important factor is the fact that specific, other web pages, as well as extensions, can connect to My Flow. When Guardio Labs’ researchers found a “long-forgotten” version of the My Flow landing page on the web.flow.opera.com domain, they seemingly struck gold.

"The page itself looks quite the same as the current one in production, but changes lie under the hood: Not only that it lacks the [content security policy] meta tag, but it also holds a script tag calling for a JavaScript file without any integrity check," the company said.

"This is exactly what an attacker needs – an unsafe, forgotten, vulnerable to code injection asset, and most importantly, has access to (very) high permission native browser API."

Consequently, a threat actor could create an extension that impersonates a mobile device to which the victim’s computer can connect. Then, they can drop an encrypted malicious code via the modified JavaScript file and have the user run it simply by clicking anywhere on the screen.

Opera says it has now fixed the issue.

More from TechRadar Pro

Opera One is a new AI-powered browser that aims to beat Chrome and Edge
Here's a list of the best firewalls around today
These are the best endpoint security tools right now

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

More about security

Does covering your webcam work?Millions of Android streaming boxes hit by damaging malware

Latest

Meta Connect 2024: 5 things I want to see at the rumored Meta Quest 3S launch event

See more latest►

Most Popular

Quordle today – hints and answers for Sunday, September 15 (game #965)

This is what the largest LED video wall in the world looks like — Adele's extravagant 44,000sq ft display goes straight into the Guinness World Records book

Google's smart Circle to Search feature could soon expand beyond Pixel and Galaxy phones

Forget about 5G: Universities worldwide compete to become dominant force in 6G with Terahertz chips and rival technologies

Silo season 2: Apple TV Plus release date, likely cast, story rumors, and more news about the sci-fi show's return

Why the passing of James Earl Jones doesn't mean you won't hear Darth Vader's voice again

1000 laptops on your pinkie — DNA storage and compute breakthrough could one day help store petabytes of data, but we're not there yet

iPhone 16 preorder delivery dates are already starting to slip – to several weeks for some models

Taylor Swift has been spotted with this retro camera – and that means you soon might not be able to buy one

I tried the surprise sequel to the best ultra-cheap earbuds, and they offer amazingly good noise cancelling for under $30

ICYMI: the week's 7 biggest tech stories from the PS5 Pro to Apple's iPhone 16 launch