Security researchers from Guardio Labs have discovered a serious shortage in the Opera web browser for Windows and MacOS operating systems. This vulnerability allows attackers to run any files in the basic operating system of a computer, including malicious ones. The researchers have named this vulnerability “Myflaw” due to its association with the “My Flow” function, which enables the synchronization of messages and files between mobile and desktop devices.
The vulnerability allows the attacker to gain control over the browser extension and bypass its sandbox and the entire process of work. This issue affects both the regular version of Opera and Opera GX.
My Flow, which functions like a chat interface, is used to exchange notes and files between smartphones and desktop computers. However, it has been discovered that files from this chat can be launched directly through the browser web interface, outside the borders of the browser.
The My Flow feature relies on the built-in extension called “Opera Touch Background” to establish a connection with the mobile device. This extension has its own manifest file, which specifies its behavior and necessary permissions. One of the permissions is the “Externally_Connectable” property, indicating which web pages and extensions can be connected to it.
Domains that can communicate with the extension must match the templates “*.flow.opera.com” and “.flow.op-test.net” controlled by the browser developer. However, Guardio Labs researchers have discovered a “forgotten” version of the My Flow starting page on the domain “web.flow.opera.com”. The page visually resembles the current version but lacks a content security policy tag and contains a script tag that loads a JavaScript file without integrity checking.
“This unsafe, forgotten, and vulnerable resource provides an opportunity for attackers to inject code with high privileges, allowing access to the browser API,” stated the Guardio Labs report.
The attack involves creating a special extension that masquerades as a mobile device to communicate with the victim’s computer. This extension then transmits encrypted harmful code through a modified JavaScript file, which is executed when the user clicks on the screen.
“Despite working in isolated environments, extensions can still be powerful tools for hackers, enabling them to steal information and bypass browser boundaries,” warned the researchers.
Opera addressed the vulnerability on November 22, 2023, just five days after it was disclosed. The developers applied fixes on the server side and implemented measures to prevent similar issues from occurring in the future. Due to security considerations, the vulnerability was only publicly disclosed now to