Critical Opera GX Browser Flaw Enabled Zero-Click Data Theft and DoS Attacks
A severe vulnerability in the Opera GX browser, discovered by independent security researcher zhero_web_security, allowed malicious websites to automatically install a customization mod without user interaction enabling data theft and browser crashes.
Opera GX’s GX Mods feature lets users personalize the browser’s appearance, sounds, and website styling. Unlike traditional extensions, mods lack permissions and cannot execute JavaScript. However, the flaw allowed attackers to force-install a mod simply by loading a hidden frame pointing to its file. Once installed, the mod’s CSS styling applied across all open tabs, granting persistent access to every site a victim visited.
While CSS alone cannot read page content directly, the researcher demonstrated how it could be weaponized to exfiltrate data via cross-site leaks (XS-Leaks). In a proof of concept, the attack silently redirected victims to a Google account page, extracting their full Gmail address. The method was not limited to email addresses, suggesting broader data exposure risks.
The same auto-install behavior also enabled a denial-of-service (DoS) attack. Since Chromium-based browsers block extensions in private windows, forcing a mod installation in Incognito mode caused Opera GX to crash, wiping all open tabs. Any file with a .crx extension even non-functional ones triggered the crash.
The researcher reported the flaw to Opera’s Bugcrowd bug bounty program in February. Initially classified as low-priority, Opera’s security team later re-evaluated it as critical. A patch was released on May 8, and the researcher received a $5,000 bounty. The findings, including a proof of concept, were published on July 3, confirming the vulnerability in Opera GX version 127.0.5778.41 before the fix.
Source: https://www.infosecurity-magazine.com/news/opera-gx-flaw-gx-mods-css/
OPERA TECH, Inc. (Acquired by Sierra) cybersecurity rating report: https://www.rankiteo.com/company/opera-tech-inc
"id": "OPE1783355236",
"linkid": "opera-tech-inc",
"type": "Vulnerability",
"date": "5/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'customers_affected': 'Users of Opera GX browser '
'(version 127.0.5778.41 and '
'earlier)',
'industry': 'Technology, Software',
'name': 'Opera GX',
'type': 'Web browser'}],
'attack_vector': 'Malicious website (hidden frame)',
'customer_advisories': 'Users advised to update Opera GX to the latest '
'version to mitigate the vulnerability.',
'data_breach': {'data_exfiltration': 'Yes (via XS-Leaks)',
'personally_identifiable_information': 'Yes (Gmail addresses)',
'sensitivity_of_data': 'High (email addresses, potential for '
'broader data exposure)',
'type_of_data_compromised': 'Personally identifiable '
'information (e.g., Gmail '
'addresses)'},
'date_detected': '2024-02',
'date_publicly_disclosed': '2024-07-03',
'date_resolved': '2024-05-08',
'description': 'A severe vulnerability in the Opera GX browser allowed '
'malicious websites to automatically install a customization '
'mod without user interaction, enabling data theft via '
'cross-site leaks (XS-Leaks) and browser crashes (DoS '
'attacks). The flaw exploited the GX Mods feature, which lacks '
'permissions and cannot execute JavaScript but could be forced '
"to install via a hidden frame. Once installed, the mod's CSS "
'styling applied across all tabs, granting persistent access '
'to every site a victim visited. The attack could silently '
'extract sensitive data, such as Gmail addresses, and cause '
'Opera GX to crash in Incognito mode.',
'impact': {'brand_reputation_impact': 'Negative impact due to critical '
'vulnerability disclosure',
'data_compromised': 'Gmail addresses, potential broader data '
'exposure via XS-Leaks',
'downtime': 'Browser crashes in Incognito mode, wiping all open '
'tabs',
'identity_theft_risk': 'Potential risk due to data exfiltration '
'(e.g., Gmail addresses)',
'operational_impact': 'Denial-of-Service (DoS) attacks, persistent '
'unauthorized access to user browsing '
'activity',
'systems_affected': 'Opera GX browser (version 127.0.5778.41 and '
'earlier)'},
'investigation_status': 'Resolved',
'lessons_learned': 'Critical vulnerabilities can be overlooked initially; '
'thorough re-evaluation of reported flaws is necessary. '
'Browser customization features without proper safeguards '
'can introduce severe security risks.',
'motivation': 'Bug bounty, security research',
'post_incident_analysis': {'corrective_actions': 'Patch released to prevent '
'auto-installation of mods '
'without user consent.',
'root_causes': 'Lack of user interaction '
'validation for GX Mods '
'installation, insufficient '
'sandboxing of browser '
'customization features.'},
'recommendations': '1. Implement stricter validation for mod installations. '
'2. Enhance permissions and sandboxing for browser '
'customization features. 3. Conduct regular security '
'audits of high-risk features. 4. Improve bug bounty '
'triage processes to prioritize critical vulnerabilities '
'accurately.',
'references': [{'date_accessed': '2024-07-03',
'source': "zhero_web_security (researcher's disclosure)"}],
'response': {'communication_strategy': 'Public disclosure on July 3, 2024, '
'including proof of concept',
'containment_measures': 'Patch released on May 8, 2024',
'remediation_measures': 'Fixed the auto-installation flaw in GX '
'Mods'},
'threat_actor': 'zhero_web_security (independent security researcher)',
'title': 'Critical Opera GX Browser Flaw Enabled Zero-Click Data Theft and '
'DoS Attacks',
'type': 'Vulnerability Exploitation',
'vulnerability_exploited': 'Auto-installation of GX Mods without user '
'interaction'}