A now-patched security flaw in the Opera web browser could have enabled a malicious extension to gain unauthorized, full access to private APIs.
The attack, codenamed CrossBarking, could have made it possible to conduct actions such as capturing screenshots, modifying browser settings, and account hijacking, Guardio Labs said.
To demonstrate the issue, the company said it managed to publish a seemingly harmless browser extension to the Chrome Web Store that could then exploit the flaw when installed on Opera, making it an instance of a cross-browser-store attack.
The issue has been addressed by Opera as of September 24, 2024, following responsible disclosure. That said, this is not the first time security flaws have been identified in the browser.
The latest attack technique hinges on the fact that several of Opera-owned publicly-accessible subdomains have privileged access to private APIs embedded in the browser. These domains are used to support Opera-specific features like Opera Wallet, Pinboard, and others, as well as those that are used in internal development. Read the full story.
Rajesh Dhawan is a technology professional who loves to write about Cyber-security events and stories, Cloud computing and Microsoft technologies. He loves to break complex problems into manageable chunks of meaningful information.