Opera GX Vulnerability Allowed Silent Mod Installation and Page Data Leakage
Security researchers have disclosed a flaw in Opera GX, the gaming-oriented version of Opera’s browser, that could let a malicious website install a mod without user approval and then use it to extrac...
Security researchers have disclosed a flaw in Opera GX, the gaming-oriented version of Opera’s browser, that could let a malicious website install a mod without user approval and then use it to extract selected information from pages the victim later visits. In a proof-of-concept demonstration, the researchers were able to reconstruct a signed-in user’s Gmail address after a single visit, with no clicks required.
Opera has already released a fix in Opera GX version 130.0.5847.89. The company said it has not found evidence that the issue was exploited in the wild. Users running the current build are protected, and the browser’s internal about page can be used to verify the installed version. Opera did not assign a CVE to the flaw.
How the attack worked
Opera GX supports “mods” that change themes, sounds, wallpapers, and site styling. Although these packages are distributed as .crx files, they are not full extensions and do not run JavaScript or request permissions. The problem was the installation flow: a website could trigger a mod download and activation automatically, without a confirmation prompt. Researchers showed that this could be done quietly through a hidden iframe pointing to the mod package.
Once installed, a mod’s CSS applies broadly across pages the browser opens. That gave attackers a way to use so-called universal CSS injection. By combining CSS attribute selectors with image requests to an attacker-controlled server, the mod could test page content one small piece at a time and infer sensitive values character by character. This technique is a form of XS-Leak, or cross-site leak.
To prove the concept, the researchers targeted a Google account page that exposed an email address in its HTML. They built a large ruleset, then used a script to assemble the value from the triggered requests. They also noted a separate side effect: loading a .crx file in private mode could crash the browser and expose open tabs, including in regular Opera, though Opera’s advisory focused on the data-theft issue.
Severity and response
Opera’s bug bounty team initially rated the report lower, but later classified it as a top-severity issue and paid the maximum $5,000 award. The company said the attack would have required a victim to visit a malicious site and remain on the page long enough for the mod installation and redirect chain to complete. The researchers countered that the exploit could run quickly enough to act before a user noticed the browser’s removal notice.
The incident highlights how a feature intended for customization can become a data-exposure risk when its reach extends beyond the original page. In this case, CSS alone was enough to create a broad leak path once it traveled with the browser instead of staying on a single site.
