The Opera web browser, known for its wide array of features and customization options, recently faced a critical security challenge that put its users at risk. A significant security flaw labeled CrossBarking was discovered, allowing a malicious browser extension to gain unauthorized access to private APIs within Opera. This breach had the potential to enable a host of malicious activities aimed at compromising user data, such as capturing screenshots, altering browser settings, and hijacking user accounts. Guardio Labs, the cybersecurity group that uncovered this flaw, presented a striking demonstration of the threat by releasing a benign-looking extension on the Chrome Web Store, which exploited this vulnerability when installed on Opera. The Opera development team has since patched this flaw as of September 24, 2024, following the responsible disclosure protocols to ensure user safety.
The CrossBarking Vulnerability
Threat Demonstration and Vulnerability Exploitation
Guardio Labs took an innovative approach to illustrate the extent of the risk posed by the CrossBarking flaw. By publishing a seemingly harmless extension on the widely-used Chrome Web Store, they showcased how an extension designed for one browser could exploit vulnerabilities in another. Once this extension was installed on Opera, it capitalized on the flaw, demonstrating a cross-browser-store attack. This example underscored how interconnected and potentially insecure the ecosystem for browser extensions could be, highlighting the necessity for heightened security measures. The Opera team responded promptly to the discovery by issuing a patch on September 24, 2024, effectively neutralizing the threat actors’ tools.
The core issue behind CrossBarking stems from the privileged access that certain domains, owned by Opera and third parties, have to private APIs. Despite comprehensive sandboxing efforts meant to isolate the browser from the operating system, the research performed by Guardio Labs revealed that content scripts within extensions could inject malicious JavaScript into these privileged domains. This enabled attackers to bypass numerous security measures. Vulnerable domains included crypto-corner.op-test.net, op-test.net, gxc.gg, opera.atlassian.net, pinboard.opera.com, instagram.com, and yandex.com, which were exploited to perform various malicious activities. The ability to take screenshots of open tabs, hijack user accounts, and manipulate DNS-over-HTTPS settings to mislead users into interacting with harmful sites were just a few examples of the threat posed by this vulnerability.
Broader Implications and the Need for Rigorous Controls
The revelation of CrossBarking is not an isolated incident for Opera. Earlier in January, another vulnerability, known as MyFlaw, was discovered, exploiting a browser feature to execute files on the operating system. This pattern of recurring security issues highlights a more considerable challenge for the Opera browser in ensuring airtight security for its users. The findings from Guardio’s research emphasized the critical need for rigorous monitoring of browser extensions to prevent unauthorized access and potential abuse. Malicious extensions could appear harmless, gaining access through official add-on catalogs like the Google Chrome Web Store but required permissions to run JavaScript on domains with private API access.
By demonstrating the severe consequences of these security lapses, the need for a more robust and continuous review system for browser extensions becomes evident. This system should include continuous post-approval analysis and enforce real identity verification for developers rather than relying on easily obtained anonymous credentials. The prevalence of rogue browser extensions invading official stores is an issue that demands immediate attention from policy enforcers. This approach would help in keeping the browser extension ecosystem secure and protecting users from potential threats.
Reinforcing Browser Security
Enhanced Monitoring and Improved User Caution
The Opera browser incident serves as a potent reminder of the delicate balance between productivity and security essential in modern web browsers. The various tactics employed by cyber threat actors to exploit vulnerabilities underline the necessity for improved regulatory measures for browser extensions. This includes stricter monitoring mechanisms and more rigorous review systems with ongoing post-approval analysis to detect and prevent malicious extensions from sneaking through the cracks.
Additionally, there is a significant need to enforce real identity verification for developers submitting extensions, as opposed to using easily obtainable and often misleading anonymous credentials. This would ensure that only genuine developers with verified identities can create and publish extensions, thereby reducing the risk of malicious activities. Moreover, users must exercise caution when installing extensions, scrutinizing the permissions an extension requests and understanding the potential impact these permissions could have on their security and privacy.
Conclusion
Guardio Labs used an innovative method to highlight the risks of the CrossBarking flaw by publishing a seemingly harmless extension on the popular Chrome Web Store. This extension illustrated how a tool designed for one browser could exploit vulnerabilities in another. When installed on Opera, it leveraged the flaw to demonstrate a cross-browser-store attack. This example highlighted the interconnected and potentially insecure ecosystem of browser extensions, stressing the need for improved security measures. The Opera team responded quickly, issuing a patch on September 24, 2024, effectively disabling the threat actors’ tools.
The CrossBarking issue arises from the privileged access certain domains, owned by Opera and third parties, have to private APIs. Despite extensive sandboxing efforts to isolate the browser from the operating system, Guardio Labs’ research revealed that content scripts in extensions could inject malicious JavaScript into these privileged domains. This allowed attackers to bypass many security measures. Exploited domains included crypto-corner.op-test.net, op-test.net, gxc.gg, opera.atlassian.net, pinboard.opera.com, instagram.com, and yandex.com. Malicious activities included taking screenshots of open tabs, hijacking user accounts, and manipulating DNS-over-HTTPS settings to mislead users into visiting harmful sites.