Cybersecurity researchers have identified a significant security vulnerability in the Opera web browser designed for both Windows and macOS platforms. This flaw exposes a potential threat where malicious actors could execute any file on the affected machine.

The vulnerability is associated with a feature known as My Flow, which is designed to facilitate the synchronization of messages and files between users’ mobile and desktop devices. The research team at Guardio Labs has aptly named this remote code execution vulnerability MyFlaw.

As reported by The Hacker News, a statement from the corporation reveals that the exploit is executed through a carefully crafted browser extension. This extension skillfully circumvents both the browser’s sandbox and the entire browser process.

It’s important to note that this issue impacts not only the standard Opera browser but also its gaming-centric variant, Opera GX. The corporation promptly addressed the vulnerability, releasing a fix on November 22, 2023, in response to the responsible disclosure made on November 17, 2023.

My Flow allows users to exchange notes and files within a chat-like interface. Notably, the shared files can be accessed through a web interface, allowing them to be executed even when the browser is not actively open.

The interaction with the mobile version is facilitated by an integral browser extension called “Opera Touch Background,” which is pre-installed within the browser. This extension plays a crucial role in managing communication seamlessly between different devices.

The extension’s actions and permissions are outlined in its dedicated manifest file, wherein a key parameter, “externally_connectable,” delineates the permissible connections with other extensions and web pages.

In the case of the Opera browser, communication with the extension is restricted to domains aligning with the specified patterns: “*.flow.opera.com” and “.flow.op-test.net.” It’s crucial to note that both of these domains are under the ownership of the browser vendor, ensuring a controlled and secure communication environment.

Google’s documentation clarifies that “this exposes the messaging API to any page that matches the URL patterns you specify.” It emphasizes, “The URL pattern must contain at least a second-level domain.”

Guardio Labs uncovered a “long-forgotten” My Flow landing page during its use of the urlscan.io internet scanner. This landing page was situated on the domain “web.flow.opera.com,” as reported by the company.

According to the findings, Guardio Labs notes, “The page itself looks quite the same as the current one in production, but changes lie under the hood: Not only that it lacks the [content security policy] meta tag, but it also holds a script tag calling for a JavaScript file without any integrity check,” 

“This is exactly what an attacker needs – an unsafe, forgotten, vulnerable to code injection asset, and most importantly, has access to (very) high permission native browser API.”

In the next phase of the attack chain, an extension designed to resemble a mobile device establishes a connection with the victim’s computer. It sends a modified JavaScript file containing an encrypted malicious payload. Upon the user clicking anywhere on the screen, the host computer then executes the payload.

These findings highlight the evolving tactics of threat actors, showcasing the expanding arsenal at their disposal. The observed sophistication in browser-based attacks underscores the increasing complexity of cyber threats.

The Hacker News was told, “Despite operating in sandboxed environments, extensions can be powerful tools for hackers, enabling them to steal information and breach browser security boundaries. “

This highlights the need for improvements in Chromium’s infrastructure and underscores the necessity for internal design adjustments within Opera. Notably, unlike Chrome’s web store, Opera has not implemented the recommended practice of restricting third-party extension rights on dedicated production domains.

In response to inquiries, Opera conveyed that it swiftly resolved the security vulnerability by patching the server side. Additionally, the company assured that it is implementing measures to prevent the recurrence of similar problems in the future.

“Our current structure uses an HTML standard, and is the safest option that does not break key functionality,” according to the business. “After Guardio alerted us to this vulnerability, we removed the cause of these issues, and we are making sure that similar problems will not appear in the future.”

We value Guardio Labs’ efforts in discovering and alerting us to this issue. This collaboration exemplifies our dedication to partnering with global security experts and researchers to bolster the safety of our products, ensuring our consumers enjoy a worry-free online experience.