Opera Browser ‘CrossBarking’ Vulnerability Could Enable Full Access to Private APIs
Opera’s CrossBarking Flaw: Security Vulnerability in Browser Extensions Exposed
A critical security flaw in the Opera web browser could have allowed malicious extensions to gain unauthorized, full access to private APIs, threatening users’ privacy and security. Guardio Labs researchers named the exploit CrossBarking and demonstrated how malicious extensions could potentially take screenshots, modify browser settings, and even hijack user accounts.
Demonstrating the Threat
To illustrate the flaw, Guardio Labs created a harmless-looking extension published on the Chrome Web Store. When installed on Opera, this extension exploited CrossBarking, showcasing an instance of a cross-browser-store attack. “This case study highlights the ongoing tension between productivity and security,” said Nati Tal, head of Guardio Labs, noting how today’s threat actors operate subtly and effectively.
Opera resolved the issue through a patch issued on September 24, 2024, following responsible disclosure. However, the browser has previously experienced other vulnerabilities, including MyFlaw, discovered in January, which leveraged Opera’s “My Flow” feature to execute files on the operating system.
See Also: So, you want to be a hacker?
Offensive Security, Bug Bounty Courses
Exposing Private APIs Through Trusted Domains
The CrossBarking exploit capitalized on Opera’s own subdomains, which have privileged access to private APIs. These subdomains are utilized for internal development and Opera-specific features such as Opera Wallet and Pinboard. Guardio’s research revealed that extensions could inject malicious JavaScript into these overly permissive domains, gaining control over private APIs.
High-Risk Activities Enabled by the Exploit
Through this vulnerability, a malicious extension could alter critical browser settings, redirecting users to adversary-controlled websites through DNS manipulation and enabling adversary-in-the-middle attacks. Tal described how content scripts within the extension could access the DOM (Document Object Model), manipulate it, and add new elements to launch malicious actions.
Armed with these capabilities, attackers could take screenshots of open tabs, extract session cookies to hijack accounts, and modify settings to route traffic through their own DNS server, allowing them to intercept users’ sensitive data on banking or social media websites.
Trending: Red Teaming Tool: avred
The Risks of Rogue Browser Extensions
A major aspect of the CrossBarking vulnerability is the widespread presence of rogue extensions across official platforms, including the Chrome Web Store. Extensions, even when seemingly legitimate, often wield extensive permissions and can collect sensitive data, posing substantial risks to user privacy.
Guardio Labs underscores the need for stricter security reviews of browser extensions, recommending continuous monitoring of an extension’s activities post-approval. “We recommend stricter policies for registering developer accounts, including real identity verification,” Tal added, emphasizing that simply providing a free email and prepaid credit card should no longer suffice for registration.
The findings highlight the necessity of vigilance for browser users: before installing extensions, consider the permissions required and exercise caution, as even trusted browsers and extension stores can harbor risks.
Are u a security researcher? Or a company that writes articles about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing? If you want to express your idea in an article contact us here for a quote: [email protected]
Source: thehackernews.com