Opera GX users should make sure their browser is fully updated after researchers disclosed a flaw that allowed a malicious website to silently install a GX Mod and use it to infer sensitive data from pages the victim later visited. The proof-of-concept attack reconstructed a signed-in user’s Gmail address without requiring a click, approval prompt, or traditional extension permission grant.

The issue has been patched in Opera GX version 130.0.5847.89. Opera says it found no evidence of exploitation in the wild, but the finding is still important because it shows how a feature designed for customization can become a cross-site data exposure path when installation and scope controls are too permissive.

What happened

Opera GX includes “GX Mods,” add-ons aimed at gaming and personalization. Mods can change browser sounds, themes, wallpapers, and apply CSS that restyles websites. They are packaged as CRX files, similar to extensions, but they do not need JavaScript execution to create risk.

According to the report, the problem was not that a mod could run arbitrary code. The problem was that a malicious page could cause a mod to be downloaded and enabled automatically, for example through a hidden frame pointing to a CRX file. The user would see a notification bar saying a mod had been added, but the attack could redirect the victim quickly enough that the harmful CSS was already active before the user could realistically react.

That made the vulnerability different from a normal “user installed a bad extension” scenario. The attack path depended on silent installation plus broad CSS reach across sites the user opened.

Why CSS was enough

CSS is often treated as less dangerous than JavaScript because it cannot directly read a page and send its contents to an attacker. However, CSS can still act as a side channel. Attribute selectors can test whether an HTML attribute matches a specific pattern. If a rule only loads a background image when a value starts with certain characters, a remote server can observe which image requests arrive and infer the hidden value piece by piece.

In the Opera GX proof of concept, researchers targeted a Google account page containing the signed-in user’s email address in page attributes. They used a large set of CSS rules to test overlapping three-character chunks, then reconstructed the full Gmail address from the observed matches. The researchers described the technique as an XS-Leak, meaning a cross-site leak that exposes information across origin boundaries without directly breaking the same-origin policy in the usual scripting sense.

The practical lesson is that “CSS-only” does not mean “impact-free.” When CSS is attacker-controlled and applied universally, it can become a data inference tool.

Impact and affected users

The clearest demonstrated impact was disclosure of a signed-in Gmail address from a page visit. The same class of technique could potentially reveal other values exposed in page markup, such as usernames, identifiers, or hidden attributes, depending on the target site and how information is represented in HTML.

The attack still had constraints. A victim needed to visit a malicious site, the browser needed to accept the silently installed mod, and the victim needed to be signed in to a target page where useful values were present in attributes that CSS could test. Opera also stated it is confident the flaw was not exploited in the wild.

Even with those limits, the risk deserved serious treatment because the interaction bar was extremely low. A browser security boundary should not depend on a user noticing and removing a silently installed customization before an automatic redirect completes.

What users should do now

Opera GX users should update immediately and verify the installed version. In the browser, open opera://about and confirm the version is 130.0.5847.89 or later. If an update is available, apply it and restart the browser.

Users should also review installed GX Mods and remove anything they do not recognize. While Opera’s patch closes the reported path, a quick extension and mod hygiene check is still a good practice after any browser add-on security issue.

Security-conscious users should be cautious with niche browser customization features, especially when they can affect every site visited. Enterprises that permit alternative browsers should include Opera GX and regular Opera in browser inventory, patch compliance, and extension governance rather than treating them as unmanaged personal software.

Guidance for security teams

For defenders, this incident is a reminder to include CSS and browser personalization systems in threat modeling. Controls that focus only on JavaScript execution, extension permissions, or downloaded binaries can miss side-channel data leaks.

Recommended actions include:

- Ensure Opera GX is updated to version 130.0.5847.89 or later on any managed endpoint.
- Inventory Opera and Opera GX installations, including non-standard browsers used by developers, gamers, contractors, and BYOD users.
- Review policies around browser extensions, themes, mods, and customization packages.
- Monitor for unusual extension or CRX downloads from untrusted sites where endpoint telemetry is available.
- Educate users that browser add-on notifications, even for cosmetic features, should be treated seriously.

The distinctive takeaway for QloudBlog readers: universal styling can become universal sensing when CSS is installed without meaningful consent.

Bottom line

Opera has patched the flaw, and there is no indication of active exploitation. Still, the case is a useful warning for browser makers and defenders alike. Features that appear cosmetic can cross into security-sensitive territory when they are installed silently and apply across unrelated websites.

Browser security depends on clear user consent, strict installation boundaries, and narrow scope. When an add-on can follow a user from one site to another, even “just CSS” can be enough to leak private information.

Source: The Hacker News source