In yet another display of the Opera web browser's lax security measures, cybersecurity researchers have uncovered a security flaw that could serve as a welcome mat for hackers to wreak havoc on your Microsoft Windows or Apple macOS system. This revelation, ominously dubbed MyFlaw by the Guardio Labs research team, is a remote code execution vulnerability nestled within Opera's seemingly innocent feature called My Flow. This feature, designed for syncing messages and files between mobile and desktop devices, inadvertently opens the door for malicious actors to execute any file on your operating system.
The Deceptive My Flow: Breaching Boundaries
Guardio Labs revealed that the MyFlaw vulnerability operates through a controlled browser extension, deftly sidestepping the browser's sandbox and the entire browser process. This insidious flaw affects not only the standard Opera browser but also Opera GX. Despite being responsibly disclosed on November 17, 2023, the company only managed to patch it as part of updates rolled out on November 22, 2023.
The My Flow feature, which disguises its potential threat with a chat-like interface for exchanging notes and files, allows files to be opened via a web interface. This, in turn, enables the execution of files beyond the browser's security boundaries. The built-in browser extension, ominously named "Opera Touch Background," is the unsuspecting accomplice responsible for communicating with its mobile counterpart and facilitating this malicious behavior.
Exploiting Weakness: The Technical Intricacies
The extension comes with its own manifest file, specifying permissions and behavior, including the externally_connectable property. In the case of Opera, this property declares which web pages and extensions can connect to it, with controlled domains such as "*.flow.opera.com" and ".flow.op-test.net." As if this weren't enough, Guardio Labs managed to unearth an old version of the My Flow landing page on "web.flow.opera.com," creating an additional vulnerability.
The absence of a content security policy meta tag and the inclusion of a script tag calling for a JavaScript file without integrity checks create the perfect storm for attackers. Guardio Labs capitalizes on this 'long-forgotten' version, emphasizing its unsafe nature and vulnerability to code injection. The attacker, armed with a specially crafted extension masquerading as a mobile device, pairs with the victim's computer and transmits an encrypted malicious payload via a modified JavaScript file. The user is then tricked into executing the payload by a simple click anywhere on the screen.
Opera's Lackluster Response: A Call for Urgent Changes
Despite assurances from Opera that they swiftly patched the security hole and implemented a fix on the server side, the MyFlaw incident exposes the glaring inadequacies in Opera's security infrastructure. The company acknowledged the need for internal design changes but fell short of implementing crucial improvements recommended by cybersecurity experts.
The episode underscores the inherent dangers of browser-based attacks, illustrating the myriad vectors exploited by threat actors. Guardio Labs stressed the necessity for internal design changes at Opera and improvements in Chromium's infrastructure, proposing the disabling of third-party extension permissions on dedicated production domains. Opera, however, has yet to heed this advice, leaving its users vulnerable to potential threats.
In response to inquiries, Opera downplayed the severity of the situation, claiming their current structure using an HTML standard is the safest option. While expressing gratitude to Guardio Labs for uncovering the vulnerability, Opera's assurance that similar problems won't recur sounds more like wishful thinking than a concrete plan of action. As users continue to navigate the perilous landscape of online security, the Opera browser's MyFlaw bug serves as a stark reminder of the constant threats lurking beneath the surface, waiting to exploit any vulnerabilities left unaddressed.
0 Comments