Skip to content
feed: live about
>_ 0dayNews
browser

Opera GX patches auto-install mods flaw — update to 130.0.5847.89

Opera fixed a flaw that let a malicious website force-install a GX Mod and use CSS injection to lift data from pages you visited. Patched; no CVE; no in-wild exploitation reported.

Marisol "Fuse" Delgado · Published · 3 min read

Opera pushed a fix for a flaw in Opera GX Mods that let a malicious website silently install a mod, which could then use CSS-injection rules to read specific data attributes off the pages you visited and ship them to an attacker-controlled server. Opera’s security team published the advisory on July 3; The Hacker News wrote it up on July 6. Fixed build is Opera GX 130.0.5847.89. No CVE has been assigned. No CVSS score. Opera says it is “quite confident” the flaw was never used in the wild.

Here’s what changed and what to do about it.

What was broken

GX Mods are the theme-and-tweak add-ons Opera GX uses to let users customise the browser’s look. Before this patch, a third-party website could set up a specific flow that caused Opera GX to install a mod without the user clicking Install. Once installed, the mod could use “advanced Cascading Style Sheets injection rules” — Opera’s phrasing — to read specific data attributes from the pages you subsequently visited and transmit that data to an attacker-controlled server. The demonstrated impact in the researcher’s proof of concept was reconstructing a signed-in user’s full Gmail address from a single visit, no click required, per The Hacker News’s summary.

I’m not going to reproduce the trigger sequence or the CSS-injection rules. The vulnerability class here — a website causing a browser to install a signed extension-like artifact silently — is the interesting part, and it is the class of bug that has bitten Chrome, Firefox, and Safari at various points historically. That is enough context to make the decision to update. Read Opera’s advisory if you want more.

What Opera changed

Per the advisory, the fix disables the auto-installation behaviour that made this exploitable. In 130.0.5847.89 and later, installing a GX Mod requires an explicit user approval step rather than the browser doing it silently in response to a page. Credit goes to security researchers zhero_ and inzo_, who reported the bug through Opera’s Bugcrowd bug-bounty program.

Opera’s public statement:

  • No evidence of exploitation in the wild.
  • The attack is “complicated to pull off.”
  • The flaw was fixed on the timeline of the July 3 advisory publication.

The honest read on “no evidence of exploitation”: no evidence is not the same as no exploitation. This is a browser add-on install that could be triggered silently by a website, and the browser has millions of installs. Opera not having telemetry for it is not the same as it not having happened. Nothing here says users should panic — but it’s a reason to close the gap now rather than wait.

What to do — in priority order

1. Update Opera GX today.

Anywhere Opera GX is installed — including on the machines of family members who use it because it looks nice — patch to 130.0.5847.89 or later. Opera GX auto-updates by default, and most installs will be current already; verify by opening the browser’s About page. This is the whole fix for individual users. Ten seconds. Do it before you close this tab.

2. If you manage Opera GX in an enterprise, verify the update rolled out.

Opera GX isn’t a common corporate-standard browser, but it shows up on developer and creative workstations, particularly on gaming-adjacent machines. If your MDM or endpoint inventory tracks browser versions, pull a report for anything below 130.0.5847.89 and get it updated this week. If you don’t inventory browser versions and Opera GX is authorised in your environment, this is the excuse to start.

3. Audit installed GX Mods on shared or high-value machines.

The auto-install path is closed in the new build, but any mod that was silently installed before the patch is still installed after the patch. On any workstation where the risk of a lifted Gmail address (or any other page-attribute leak) is not acceptable — executives, finance, IR, admins — walk through the GX Mods list and remove anything the user does not recognise. Realistically, most users have installed exactly zero mods; the review takes a minute.

4. Don’t rewrite your browser-security policy over this one.

Silent install of a browser add-on from a page is a real class of bug and it will keep coming back — Renwa’s 2023 research on Opera covered an adjacent variant of the same pattern. But this specific fix is a specific fix. No CVE. No known in-wild abuse. Patch it, log it, move on. Save the policy revisit for a bug that actually forces one.

Priority call

Update the browser. If your org runs Opera GX on any managed endpoint, patch this week and verify. Everything else on this list is worth doing only after those two are done.

Sources

Found this useful? Share it.