Opera: Opera GX 0-Click Vulnerability Lets Attackers Exfiltrate User Data via Malicious Website

Opera: Opera GX 0-Click Vulnerability Lets Attackers Exfiltrate User Data via Malicious Website

Opera GX Zero-Click Vulnerability Exposed Users to Silent Data Theft

A recently disclosed vulnerability in Opera GX allowed attackers to silently exfiltrate sensitive user data including Gmail addresses without any user interaction, simply by luring victims to a malicious website. The flaw, discovered by security researcher Rachid Allam, stemmed from the browser’s "GX Mods" feature, which enables customization via packaged .crx files.

Unlike traditional browser extensions, GX Mods automatically install when downloaded, requiring no explicit user permission. Attackers exploited this behavior by embedding a malicious .crx file in a webpage, which installed in the background upon visitation. While GX Mods don’t execute JavaScript or request permissions, they can inject CSS across all visited sites, enabling a cross-site leak (XS-Leak) via universal CSS injection.

The attack leveraged CSS-based data exfiltration, where carefully crafted selectors inferred sensitive information by triggering network requests to an attacker-controlled server. Researchers demonstrated this by reconstructing a victim’s Gmail address using trigrams three-character segments tested via thousands of CSS rules. Advanced techniques, including CSS variables and multi-layered background requests, allowed simultaneous data extraction without browser crashes.

Once the victim visited a target page (e.g., a Google account page), the injected CSS probed for matching patterns, sending requests to the attacker’s server. A reconstruction algorithm then assembled the original data from overlapping trigrams. The attack required no user interaction beyond visiting a malicious site, with the mod installing automatically and initiating data theft.

Additionally, researchers identified a denial-of-service (DoS) condition where triggering mod installation in private browsing mode could crash the browser. Opera patched the critical flaw in May 2026 following a coordinated disclosure through its bug bounty program, awarding the researchers the maximum bounty.

The incident highlights the risks of non-traditional attack surfaces, such as browser customization features, and underscores the growing threat of XS-Leak techniques, which exploit subtle browser behaviors rather than conventional script-based vulnerabilities.

Source: https://cybersecuritynews.com/opera-gx-0-click-vulnerability/

Opera software cybersecurity rating report: https://www.rankiteo.com/company/opera-simulation-software

"id": "OPE1783333638",
"linkid": "opera-simulation-software",
"type": "Vulnerability",
"date": "5/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'customers_affected': 'Opera GX users',
                        'industry': 'Technology',
                        'name': 'Opera GX',
                        'type': 'Web Browser'}],
 'attack_vector': 'Malicious Website',
 'data_breach': {'data_exfiltration': 'Yes (via CSS-based XS-Leak)',
                 'personally_identifiable_information': 'Gmail addresses',
                 'sensitivity_of_data': 'High',
                 'type_of_data_compromised': 'Personally Identifiable '
                                             'Information (Gmail addresses)'},
 'date_resolved': '2026-05',
 'description': 'A recently disclosed vulnerability in Opera GX allowed '
                'attackers to silently exfiltrate sensitive user data, '
                'including Gmail addresses, without any user interaction by '
                'luring victims to a malicious website. The flaw stemmed from '
                "the browser’s 'GX Mods' feature, which enables customization "
                'via packaged .crx files. Attackers exploited this by '
                'embedding a malicious .crx file in a webpage, which installed '
                'automatically upon visitation, enabling CSS-based data '
                'exfiltration via cross-site leak (XS-Leak).',
 'impact': {'data_compromised': 'Sensitive user data (e.g., Gmail addresses)',
            'downtime': 'Denial-of-Service (DoS) condition in private browsing '
                        'mode',
            'identity_theft_risk': 'High (Gmail addresses and other sensitive '
                                   'data)',
            'systems_affected': 'Opera GX Browser'},
 'investigation_status': 'Resolved',
 'lessons_learned': 'Highlights the risks of non-traditional attack surfaces '
                    '(e.g., browser customization features) and the growing '
                    'threat of XS-Leak techniques.',
 'post_incident_analysis': {'corrective_actions': 'Patch released to fix the '
                                                  'vulnerability, potential '
                                                  'changes to GX Mods '
                                                  'installation and CSS '
                                                  'injection policies',
                            'root_causes': 'Automatic installation of GX Mods '
                                           'without user permission, CSS '
                                           'injection capabilities enabling '
                                           'XS-Leak attacks'},
 'recommendations': 'Restrict automatic installation of browser mods, enhance '
                    'CSS injection protections, and improve monitoring for '
                    'XS-Leak attacks.',
 'references': [{'source': 'Security Research by Rachid Allam'}],
 'response': {'containment_measures': 'Patch released to fix the vulnerability',
              'remediation_measures': 'Disabling automatic installation of GX '
                                      'Mods or restricting CSS injection '
                                      'capabilities'},
 'title': 'Opera GX Zero-Click Vulnerability Exposed Users to Silent Data '
          'Theft',
 'type': 'Data Exfiltration',
 'vulnerability_exploited': 'GX Mods automatic installation and CSS injection'}
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.