Opera Browser Fixes Big Security Hole That Could Have Exposed Your Information

Avatar
A now-patched security flaw in the Opera web browser could have enabled a malicious extension to gain unauthorized, full access to private APIs. The attack, codenamed CrossBarking, could have made it possible to conduct actions such as capturing screenshots, modifying browser settings, and account hijacking, Guardio Labs said. To demonstrate the issue, the company said it managed to publish a
[[{“value”:”

A now-patched security flaw in the Opera web browser could have enabled a malicious extension to gain unauthorized, full access to private APIs.

The attack, codenamed CrossBarking, could have made it possible to conduct actions such as capturing screenshots, modifying browser settings, and account hijacking, Guardio Labs said.

To demonstrate the issue, the company said it managed to publish a seemingly harmless browser extension to the Chrome Web Store that could then exploit the flaw when installed on Opera, making it an instance of a cross-browser-store attack.

“This case study not only highlights the perennial clash between productivity and security but also provides a fascinating glimpse into the tactics used by modern threat actors operating just below the radar,” Nati Tal, head of Guardio Labs, said in a report shared with The Hacker News.

The issue has been addressed by Opera as of September 24, 2024, following responsible disclosure. That said, this is not the first time security flaws have been identified in the browser.

Earlier this January, details emerged of a vulnerability tracked as MyFlaw that takes advantage of a legitimate feature called My Flow to execute any file on the underlying operating system.

The latest attack technique hinges on the fact that several of Opera-owned publicly-accessible subdomains have privileged access to private APIs embedded in the browser. These domains are used to support Opera-specific features like Opera Wallet, Pinboard, and others, as well as those that are used in internal development.

The names of some of the domains, which also include certain third-party domains, are listed below –

crypto-corner.op-test.net
op-test.net
gxc.gg
opera.atlassian.net
pinboard.opera.com
instagram.com
yandex.com

While sandboxing ensures that the browser context remains isolated from the rest of the operating system, Guardio’s research found that content scripts present within a browser extension could be used to inject malicious JavaScript into the overly permissive domains and gain access to the private APIs.

“The content script does have access to the DOM (Document Object Model),” Tal explained. “This includes the ability to dynamically change it, specifically by adding new elements.”

Armed with this access, an attacker could take screenshots of all open tabs, extract session cookies to hijack accounts, and even modify a browser’s DNS-over-HTTPS (DoH) settings to resolve domains through an attacker-controlled DNS server.

This could then set the stage for potent adversary-in-the-middle (AitM) attacks when victims attempt to visit bank or social media sites by redirecting them to their malicious counterparts instead.

The malicious extension, for its part, could be published as something innocuous to any of the add-on catalogs, including the Google Chrome Web Store, from where users could download and add it to their browsers, effectively triggering the attack. It, however, requires permission to run JavaScript on any web page, particularly the domains that have access to the private APIs.

With rogue browser extensions repeatedly infiltrating the official stores, not to mention some legitimate ones that lack transparency into their data collection practices, the findings underscore the need for caution prior to installing them.

“Browser extensions wield considerable power — for better or for worse,” Tal said. “As such, policy enforcers must rigorously monitor them.”

“The current review model falls short; we recommend bolstering it with additional manpower and continuous analysis methods that monitor an extension’s activity even post-approval. Additionally, enforcing real identity verification for developer accounts is crucial, so simply using a free email and a prepaid credit card is insufficient for registration.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

“}]] The Hacker News 

Total
0
Shares
Previous Post

Researchers Uncover Python Package Targeting Crypto Wallets with Malicious Code

Next Post

North Korean hackers seen collaborating with Play ransomware group, researchers say

Related Posts

North Korean Group Collaborates with Play Ransomware in Significant Cyber Attack

Threat actors in North Korea have been implicated in a recent incident that deployed a known ransomware family called Play, underscoring their financial motivations. The activity, observed between May and September 2024, has been attributed to a threat actor tracked as Jumpy Pisces, which is also known as Andariel, APT45, DarkSeoul, Nickel Hyatt, Onyx Sleet (formerly Plutonium), Operation Troy,
Avatar
Read More

OpenAI Blocks Iranian Influence Operation Using ChatGPT for U.S. Election Propaganda

OpenAI on Friday said it banned a set of accounts linked to what it said was an Iranian covert influence operation that leveraged ChatGPT to generate content that, among other things, focused on the upcoming U.S. presidential election. "This week we identified and took down a cluster of ChatGPT accounts that were generating content for a covert Iranian influence operation identified as
Avatar
Read More

PAN-OS Firewall Vulnerability Under Active Exploitation – IoCs Released

Palo Alto Networks has released new indicators of compromise (IoCs) a day after the network security vendor confirmed that a new zero-day vulnerability impacting its PAN-OS firewall management interface has been actively exploited in the wild. To that end, the company said it observed malicious activity originating from below IP addresses and targeting PAN-OS management web interface IP
Avatar
Read More