Guardio Labs’ research team has recently unearthed a critical zero-day vulnerability in the widely used Opera web browser family. This vulnerability, codenamed MyFlaw, poses a significant threat as it enables attackers to execute malicious files on both Windows and MacOS systems.
The flaw leverages a specific browser extension, highlighting a broader challenge in modern browser security.
MyFlaw Vulnerability Exploits My Flow Feature
The MyFlaw vulnerability centers around Opera’s My Flow feature, designed for syncing messages and files between mobile and desktop devices. This feature utilizes a controlled browser extension, effectively bypassing the browser’s sandbox and entire process. The issue impacts both the standard Opera browser and its gaming-focused counterpart, Opera GX.
Guardio Labs pointed out that the flaw could be exploited through a specially crafted extension, taking advantage of the My Flow feature’s chat-like interface to exchange notes and files. Notably, files exchanged through the web interface could be executed outside the browser’s security boundaries.
The vulnerability was responsibly disclosed by Guardio Labs on November 17, 2023, leading to prompt action from Opera. The company addressed the issue through updates released on November 22, 2023, securing users from potential exploitation.
My Flow’s Extension and Manifest File
My Flow relies on an internal browser extension known as “Opera Touch Background.” This extension communicates with its mobile counterpart and comes with its own manifest file, specifying required permissions and behavior.
Notably, the manifest file includes the externally_connectable property, declaring which web pages and extensions can connect to it. Guardio Labs identified a forgotten version of the My Flow landing page lacking essential security measures, providing a potential entry point for attackers.
Attack Chain and Exploitation
Guardio Labs uncovered an attack chain involving a specially crafted extension masquerading as a mobile device. The attacker pairs the extension with the victim’s computer, transmitting an encrypted malicious payload via a modified JavaScript file.
The payload is then executed on the host by prompting the user to click anywhere on the screen. This sophisticated exploitation underscores the evolving complexity of browser-based attacks and the diverse vectors threat actors can leverage.
Guardio Labs emphasizes the need for internal design changes at Opera and improvements in Chromium’s infrastructure.
The company recommends measures like disabling third-party extension permissions on dedicated production domains, similar to Chrome’s web store, to enhance security. While Opera responded promptly to the security hole, Guardio Labs stresses the importance of continuous collaboration between browser developers and security experts to maintain and improve product security.
Milena Dimitrova
An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim
Follow Me: