Opera GX Flaw Allowed Silent Data Theft via Malicious Browser Mods
Researchers discovered a critical vulnerability in Opera GX, the gaming-focused version of the Opera browser, that enabled attackers to silently install a malicious mod and extract sensitive data from visited pages without any user interaction. The flaw, which Opera has since patched, could reconstruct a signed-in user’s full Gmail address from a single visit to a malicious site.
How the Attack Worked
The exploit leveraged GX Mods, a feature allowing users to customize Opera GX with themes, sounds, and CSS-based restyling. Unlike traditional extensions, mods lack JavaScript execution and permissions but their auto-install mechanism was the weak point. A malicious website could force-install a mod by loading a hidden iframe pointing to a .crx file, bypassing user approval.
Once installed, the mod’s CSS rules applied universally across all visited sites, enabling a technique called universal CSS injection. While CSS alone can’t read or transmit data, attackers used attribute selectors to test for specific values (e.g., an email address in a hidden HTML field) and leak them character by character via XS-Leak (cross-site leak). By firing thousands of CSS rules, the attack reconstructed the target’s Gmail address from myaccount.google.com in seconds before the user could react to the mod’s removal notice.
The researchers also demonstrated a second exploit: loading a malicious .crx file in private mode crashed the browser, exposing all open tabs. This affected both Opera GX and the standard Opera browser.
Response & Patch
Opera classified the flaw as P1 (highest severity) and awarded the researchers the maximum $5,000 bug bounty. The company released a fix in Opera GX version 130.0.5847.89, stating it found no evidence of in-the-wild exploitation. However, the researchers countered that the attack was automated and fast enough to succeed before users could intervene.
Broader Implications
The incident highlights risks in browser customization features even those deemed "harmless." While Opera downplayed the attack’s complexity, the researchers proved that CSS-based data exfiltration could extend beyond a single page, turning a cosmetic tool into a persistent threat. This follows previous Opera vulnerabilities, including the 2023 address bar spoofing and 2024 MyFlaw exploits, underscoring recurring security gaps in the browser’s design.
Source: https://thehackernews.com/2026/07/opera-gx-flaw-let-malicious-sites-auto.html
Google TPRM report: https://www.rankiteo.com/company/google
Opera TPRM report: https://www.rankiteo.com/company/opera-memphis
"id": "gooope1783326532",
"linkid": "google, opera-memphis",
"type": "Cyber Attack",
"date": "3/2023",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'customers_affected': 'Users of Opera GX and standard '
'Opera browser',
'industry': 'Technology/Software',
'name': 'Opera GX',
'type': 'Browser'}],
'attack_vector': 'Malicious Browser Mods (GX Mods)',
'data_breach': {'data_exfiltration': 'Yes (via CSS-based XS-Leak)',
'personally_identifiable_information': 'Gmail addresses',
'sensitivity_of_data': 'High (Gmail addresses)',
'type_of_data_compromised': 'Personally Identifiable '
'Information (PII)'},
'description': 'Researchers discovered a critical vulnerability in Opera GX, '
'the gaming-focused version of the Opera browser, that enabled '
'attackers to silently install a malicious mod and extract '
'sensitive data from visited pages without any user '
'interaction. The flaw could reconstruct a signed-in user’s '
'full Gmail address from a single visit to a malicious site.',
'impact': {'brand_reputation_impact': 'High (recurring security gaps in '
'browser design)',
'data_compromised': 'Gmail addresses, sensitive data from visited '
'pages',
'identity_theft_risk': 'High (Gmail address exposure)',
'systems_affected': 'Opera GX browser, standard Opera browser (via '
'private mode crash)'},
'investigation_status': 'Patched, no evidence of in-the-wild exploitation '
'found',
'lessons_learned': 'Risks in browser customization features, even those '
"deemed 'harmless'; CSS-based data exfiltration can be "
'persistent and automated; need for stricter security '
'reviews of mod/extension mechanisms.',
'post_incident_analysis': {'corrective_actions': 'Patch released to fix mod '
'auto-install, address CSS '
'injection vulnerability, '
'and prevent private mode '
'crashes from exposing open '
'tabs',
'root_causes': 'Auto-install mechanism for GX '
'Mods, lack of JavaScript execution '
'restrictions in mods enabling '
'CSS-based exfiltration, '
'insufficient validation of .crx '
'files in private mode'},
'recommendations': 'Enhance security reviews for browser customization '
'features, implement stricter controls for mod/extension '
'installation, monitor for CSS-based exfiltration '
'techniques, and improve user awareness of mod-related '
'risks.',
'references': [{'source': "Researchers' disclosure"}],
'response': {'communication_strategy': 'Public disclosure via researchers, '
'bug bounty awarded',
'containment_measures': 'Patch released in Opera GX version '
'130.0.5847.89',
'remediation_measures': 'Fixed auto-install mechanism for GX '
'Mods, addressed CSS injection '
'vulnerability'},
'title': 'Opera GX Flaw Allowed Silent Data Theft via Malicious Browser Mods',
'type': 'Data Theft',
'vulnerability_exploited': 'Auto-install mechanism of GX Mods, universal CSS '
'injection, XS-Leak (cross-site leak)'}