VYPR
patchPublished Jul 6, 2026· 2 sources

Opera GX Flaw Allowed Silent Installation of Malicious Mods for Data Theft

A vulnerability in Opera GX enabled malicious websites to silently install add-ons capable of stealing user data from visited pages without interaction.

Researchers have uncovered a critical vulnerability in Opera GX, the gaming-focused version of the Opera browser, that allowed malicious websites to silently install add-ons and subsequently steal specific data from pages visited by users. In a proof-of-concept demonstration, attackers could reconstruct a logged-in user's full Gmail address with a single visit to a compromised site, requiring no user clicks or explicit permissions.

Opera has since released a patch for this vulnerability, addressing the issue in Opera GX version 130.0.5847.89. The company stated that it found no evidence of the flaw being exploited in the wild. Due to the nature of the attack, which required no user interaction, the patch was the only effective mitigation; there was no workaround available prior to the update.

The vulnerability stemmed from how Opera GX handles "GX Mods," which are designed to reskin the browser with custom themes and sounds. These mods are distributed as .crx files, similar to browser extensions, but traditionally lack JavaScript execution capabilities and permissions. The weakness lay in the browser's mod installation pipeline, which automatically downloaded and enabled a mod without presenting any approval prompt to the user.

This auto-install mechanism meant a malicious webpage could embed a hidden iframe pointing to a .crx file, silently installing a mod. The only indication to the user was a notification bar at the bottom of the browser window stating a mod had been added, with a "Remove" button. This underlying auto-install behavior had been identified previously in 2023, leading to a patch for a different attack vector, but the core auto-install functionality remained.

The exploit leveraged the fact that mods' CSS (Cascading Style Sheets) are applied to every page the browser visits, not just the initial landing page. By using CSS attribute selectors, attackers could craft rules that would trigger requests to an attacker-controlled server only when specific data, such as an email address hidden within HTML attributes on a page like Google's account settings, matched a certain pattern. This technique, known as an XS-Leak (cross-site leak), allowed data to be exfiltrated piece by piece.

To achieve this, researchers developed a mod containing approximately 150,000 CSS rules. This set of rules was designed to progressively leak characters of a Gmail address by testing against attribute values on the Google account page. The process was initiated by redirecting the victim's browser to the target Google page shortly after the mod was silently installed, allowing the CSS rules to execute and leak the address before the user could even notice the installed mod.

Beyond data theft, the researchers also documented a secondary, cruder exploit related to the auto-install path. Loading a .crx file while in private (Incognito) mode caused the browser to crash and dump all open tabs. This particular issue affected both regular Opera and Opera GX, as the extension installation pipeline was triggered regardless of the mod's content. Opera's advisory focused on the data-theft fix and did not explicitly mention this crash vulnerability.

The severity of this flaw was initially underestimated by Opera's bug bounty triage team, who rated it P3. However, after researchers demonstrated the exploit by reconstructing a triage analyst's Gmail address in real-time, Opera escalated the severity to P1, its highest rating, and awarded the maximum $5,000 bounty. While Opera remains confident the flaw was not exploited in the wild, the researchers' demonstration highlighted the speed and stealth with which such an attack could be executed, underscoring the significant risk posed by features that bypass user consent.

This new report details the technical mechanism of the Opera GX vulnerability, explaining how attackers can inject CSS to perform XS-Leaks and reconstruct sensitive data like Gmail addresses one trigram at a time. It also highlights the potential for denial-of-service conditions and notes that the vulnerability was patched by Opera in May 2026.

Synthesized by Vypr AI