A critical vulnerability in the popular gaming browser Opera GX was identified, allowing cybercriminals to extract sensitive user information without any user interaction. This exploit required only that users visit a specially crafted malicious website.
Detailed in a report titled “One trigram at a time: XSLeak via Universal CSS Injection and DoS in Opera (GX),” the flaw exploited a browser feature intended for customization, demonstrating how it could be manipulated for extensive data extraction.
Understanding the Vulnerability
The issue originated from Opera GX’s “GX Mods” feature, which lets users personalize the browser’s appearance using .crx files. Alarmingly, these files are installed automatically upon download, bypassing user consent.
Researchers revealed that attackers could embed malicious .crx files within web pages. When a user accessed such a page, the mod would install silently, setting the stage for data exfiltration.
The Mechanics of the Attack
Unlike typical browser extensions, GX Mods do not execute JavaScript or request permissions, yet they can inject CSS across websites. This capability facilitated a cross-site leak (XS-Leak) using universal CSS injection.
CSS alone cannot directly access sensitive information. However, it can infer data by triggering specific network requests. With cleverly designed CSS selectors, attackers could determine the presence of specific data fragments, leaking tiny amounts of information with each request.
Data Extraction Process
To breach user data, attackers employed a sophisticated CSS payload to extract information bit by bit. The attack focused on reconstructing a victim’s email address by segmenting it into trigrams, or three-character sequences.
Thousands of CSS rules probed for different trigrams, and successful matches were reported back to an attacker’s server. Advanced techniques, like CSS variables and layered requests, allowed for simultaneous data extraction.
Additionally, the exploit involved redirecting victims to targeted pages, like a Google account page. Once there, the injected CSS initiated its search for data patterns, assembling them into complete strings over time.
Opera’s Response and Future Implications
Following a coordinated disclosure, Opera addressed the critical security flaw in May 2026, issuing a patch and awarding the highest bounty to the researchers involved. This incident underscores the potential risks posed by unconventional attack methods leveraging browser customization features.
The Opera GX vulnerability highlights the increasing significance of XS-Leak techniques, which exploit minor browser behaviors rather than traditional scripting vulnerabilities. This incident serves as a reminder of the evolving landscape of cyber threats and the need for continuous vigilance in browser security.
