Cybersecurity researchers have disclosed a security flaw within the Opera net browser for Microsoft Home windows and Apple macOS that may very well be exploited to execute any file on the underlying working system.
The distant code execution vulnerability has been codenamed MyFlaw by the Guardio Labs analysis workforce owing to the truth that it takes benefit of a function referred to as My Movement that makes it doable to sync messages and information between cell and desktop gadgets.
“That is achieved via a managed browser extension, successfully bypassing the browser’s sandbox and your entire browser course of,” the corporate mentioned in an announcement shared with The Hacker Information.
The difficulty impacts each the Opera browser and Opera GX. Following accountable disclosure on November 17, 2023, it was addressed as a part of updates shipped on November 22, 2023.
My Movement incorporates a chat-like interface to trade notes and information, the latter of which will be opened through an online interface, that means a file will be executed outdoors of the browser’s security boundaries.
It’s pre-installed within the browser and facilitated by the use of a built-in (or inside) browser extension referred to as “Opera Contact Background,” which is answerable for speaking with its cell counterpart.
This additionally implies that the extension comes with its personal manifest file specifying all of the required permissions and its conduct, together with a property referred to as externally_connectable that declares which different net pages and extensions can connect with it.
Within the case of Opera, the domains that may speak to the extension ought to match the patterns “*.stream.opera.com” and “.stream.op-test.internet” – each managed by the browser vendor itself.
“This exposes the messaging API to any web page that matches the URL patterns you specify,” Google notes in its documentation. “The URL sample should comprise at the least a second-level area.”
Guardio Labs mentioned it was capable of unearth a “long-forgotten” model of the My Movement touchdown web page hosted on the area “net.stream.opera.com” utilizing the urlscan.io web site scanner software.
“The web page itself seems to be fairly the identical as the present one in manufacturing, however adjustments lie below the hood: Not solely that it lacks the [content security policy] meta tag, nevertheless it additionally holds a script tag calling for a JavaScript file with none integrity examine,” the corporate mentioned.
“That is precisely what an attacker wants – an unsafe, forgotten, weak to code injection asset, and most significantly, has entry to (very) excessive permission native browser API.”
The assault chain then hinges, making a specifically crafted extension that masquerades as a cell gadget to pair with the sufferer’s pc and transmit an encrypted malicious payload through the modified JavaScript file to the host for subsequent execution by prompting the person to click on anyplace on the display.
The findings spotlight the growing complexity of browser-based assaults and the totally different vectors that may be exploited by risk actors to their benefit.
“Regardless of working in sandboxed environments, extensions will be highly effective instruments for hackers, enabling them to steal info and breach browser security boundaries,” the corporate advised The Hacker Information.
“This underscores the necessity for inside design adjustments at Opera and enhancements in Chromium’s infrastructure. For example, disabling third-party extension permissions on devoted manufacturing domains, much like Chrome’s net retailer, is really useful however has not but been applied by Opera.”
When reached for remark, Opera mentioned it moved shortly to shut the security gap and implement a repair on the server aspect and that it is taking steps to stop such points from taking place once more.
“Our present construction makes use of an HTML commonplace, and is the most secure choice that doesn’t break key performance,” the corporate mentioned. “After Guardio alerted us to this vulnerability, we eliminated the reason for these points and we’re ensuring that related issues is not going to seem sooner or later.”
“We wish to thank Guardio Labs for his or her work on uncovering and instantly alerting us to this vulnerability. This collaboration demonstrates how we work along with security specialists and researchers world wide to enrich our personal efforts at sustaining and bettering the security of our merchandise and making certain our customers have a secure on-line expertise.”
