Opera, a popular Chromium-based browser, was found to contain a vulnerability that allowed hackers to install virtually any file on both Windows and macOS operating systems.
The vulnerability was discovered by cybersecurity researchers at Guardio Labs, who notified the browser’s developers and helped them close the hole.
In its technical description, Guardio Labs says explained that the error stemmed from a feature built into the browser called My Flow. This is a feature built on a browser extension called Opera Touch Background, which comes pre-installed with the browser and technically cannot be uninstalled.
Abuse of a landing page
My Flow allows users to take notes and share files between the desktop and mobile versions of the browser. There is a trend among software developers to provide users with a seamless transition between desktop and mobile solutions for both work and play. However, in this case, the feature came at the expense of security.
“The chat-like interface adds an ‘OPEN’ link to any message with an attached file, allowing users to immediately run the file from the web interface,” the researchers explain. “This indicates that the web page context can somehow communicate with a system API and execute a file from the file system, outside the usual boundaries of the browser, without sandboxing and without boundaries.”
The second important factor is the fact that specific, other web pages, as well as extensions, can connect to My Flow. When Guardio Labs researchers found a “long-forgotten” version of the My Flow landing page on the web.flow.opera.com domain, they seemingly struck gold.
“The page itself looks pretty much the same as the current one in production, but changes lie under the hood: not only that it is missing the meta tag (content security policy), but it also contains a script tag that requests a JavaScript file without any integrity checks,” the company said.
“This is exactly what an attacker needs: an insecure, forgotten, vulnerable to code injection asset and, most importantly, access to a native browser API with (very) high permissions.”
Consequently, a threat actor could create an extension that mimics a mobile device that the victim’s computer can connect to. They can then place an encrypted malicious code through the modified JavaScript file and make the user execute it by clicking anywhere on the screen.
Through The HackerNews