Zero-Click Threat: Opera GX Patch Addresses Flaw Allowing Malicious Mod Auto-Installation
Executive Summary
Security researchers have uncovered a critical, zero-click vulnerability in Opera GX, the gaming-focused version of the Opera web browser. Rated at the highest severity tier (P1), the flaw allowed malicious websites to silently, auto-install a browser extension ("GX Mod") without requiring any user approval, clicks, or confirmation prompts. Once installed, the malicious mod could inject code to extract sensitive data, session tokens, and personal emails from all pages the victim visits. Opera has patched the vulnerability in version 130.0.5847.89 and confirmed there is no evidence of active in-the-wild exploitation.
Deep-Dive Technical Analysis
Modern web browsers utilize robust extension sandboxing, strict permission prompts, and user confirmation modals to prevent malicious websites from forcing the installation of unauthorized browser extensions. However, the unique customization features of Opera GX bypassed these vital guardrails.
A technical analysis of the zero-click attack reveals a critical flaw in Opera GX's "GX Mods" feature:
* The Role of GX Mods: GX Mods allow users to customize and reskin their browser with specialized wallpapers, custom themes, background sounds, and custom CSS styling. These mods are downloaded as standard .crx extension files, but are designed to run with highly restricted, read-only permissions and are blocked from executing JavaScript.
* The Auto-Installation Bypass: Researchers discovered a logic vulnerability within the browser's mod installation handler. A malicious website could trigger a silent, unprompted download and installation of a crafted .crx mod file. Because the browser did not classify mods as high-risk extensions, it completely bypassed the standard extension confirmation prompts, executing a zero-click auto-installation.
* Malicious CSS and Data Stealing: Although GX Mods are blocked from running JavaScript, they possess the ability to inject custom Cascading Style Sheets (CSS) into visited web pages. An attacker could use CSS injection techniques (such as attribute selectors and background-image calls) to extract sensitive page elements.
* The Proof-of-Concept: In a successful proof-of-concept, researchers demonstrated that a single, passive visit to a malicious page allowed the attacker to silently install a mod, inject custom CSS, and completely reconstruct a signed-in user's full Gmail address and session data—entirely without any clicks or user interaction.
Industry Impact and Recommendations
The disclosure of a zero-click extension installation vulnerability represents a major security hazard. Because the attack chain required no clicks, workarounds, or user awareness, any user visiting a compromised or malicious web page was immediately susceptible to silent credential harvesting.
We recommend that all users, IT administrators, and security operations teams implement the following immediate mitigations:
1. Force Update Opera GX Immediately: Ensure all personal and corporate installations of Opera GX are immediately updated to version 130.0.5847.89 (or newer) to close the mod auto-installation vulnerability. You can confirm your active version by navigating to opera://about in your browser.
2. Review Installed Extensions and Mods: Regularly audit all active extensions, themes, and mods inside your browser, completely removing any utilities from unverified or unknown publishers.
3. Implement Enterprise Browser Policies: For corporate environments, deploy group policy templates to restrict standard users from installing unverified browser extensions or themes, and block access to unapproved extension marketplaces.
4. Monitor for Anomalous Web Requests: Configure security log monitors to flag unusual, automated, high-frequency outbound requests directed at unknown extension repositories, which can indicate silent background installation attempts.
References
* The Hacker News
* CISA Alerts and Advisories