Opera GX Browser Mod Exploit Steals User Data via Silent CSS Injection

The vulnerability allowed attackers to silently install malicious browser mods that used CSS injection to reconstruct user email addresses from visited pages.

CSBadmin
3 Min Read

Silent Exploitation via Browser Mods

A critical vulnerability in the Opera GX browser allowed attackers to steal sensitive user data with zero interaction required from the victim. The flaw, uncovered by researcher Rachid Allam, exploited the browser’s GX Mods feature which enables users to customize the browser’s appearance through packaged files distributed as .crx extensions. These mods install automatically upon download without requesting explicit permission. An attacker could embed a malicious .crx file within a webpage, and when a victim visited that page, the mod would install silently in the background.

Unlike standard browser extensions, GX Mods do not support JavaScript or request permissions. However, they can inject CSS across all websites the user visits. This capability allowed the attacker to deploy a cross-site leak (XS-Leak) attack using universal CSS injection. While CSS cannot directly read data, it can infer information by triggering conditional network requests. Carefully crafted CSS selectors detect whether specific values exist in a webpage’s HTML and then load external resources, with each request leaking a small piece of data to an attacker-controlled server.

Attack Mechanics and Patching

The CSS payload was designed to extract data one fragment at a time, specifically targeting a victim’s Gmail address by breaking it into trigrams (sequences of three characters). The attack generated thousands of CSS rules testing for different trigram combinations to identify which fragments were present in the target data. Advanced techniques such as CSS variables and multi-layered background requests allowed multiple data points to be exfiltrated simultaneously. The attack also distributed workload across HTML elements to prevent browser crashes.

Once a victim was redirected to a target page containing their email address, the injected CSS began probing for matching patterns. Each successful match sent a request to the attacker’s server, where a reconstruction algorithm assembled the original string from overlapping trigram sequences. Opera patched this vulnerability in May 2026 through its bug bounty program, awarding the maximum bounty to the researchers. This incident demonstrates how non-traditional attack surfaces like browser customization features can introduce significant security risks, and highlights the growing relevance of XS-Leak techniques that exploit subtle browser behaviors.

Source: Cyber Security News

CSBadmin

The latest in cybersecurity news and updates.

Share This Article
Follow:
The latest in cybersecurity news and updates.