A vulnerability in an Opera browser feature for sharing files between devices could have led to remote code execution (RCE), threat protection firm Guardio Labs reports.
The impacted feature, My Flow, allows users to easily exchange messages and files between desktop and mobile devices, by simply scanning a QR code using Opera’s mobile application.
Once the code is scanned, users are presented with a chat-like interface that allows them to immediately execute the shared files, which is convenient for users, but also exposes them to security risks.
“This indicates that the webpage context can somehow interact with a system API and execute a file from the file system, outside the browser’s usual confines, with no sandbox, no limits,” Guardio Labs notes in a blog post.
Starting from this hypothesis, Guardio Labs’ security researchers started digging into the architecture, development, and security protocols Opera uses to identify any issues that could be exploited maliciously.
During their investigation, the researchers discovered that the My Flow feature uses a built-in browser extension, namely ‘Opera Touch Background’, which possesses broad permissions, albeit the browser implements numerous restrictions and security checks to prevent code injection attacks and other types of malicious abuse.
One of these security mechanisms ensures that only web resources under declared domains can communicate with the underlying extension, and only using a specific API. Even if an attacker could manipulate such a resource to add their own script, they would also have to bypass a hash value check.
However, Guardio Labs discovered that there were several versions of the My Flow landing page laying around, some of them a few years old and lacking the more recent security checks.
“This is exactly what an attacker needs — an unsafe, forgotten, vulnerable to code injection asset, and most importantly — has access to (very) high permission native browser API,” Guardio Labs notes.
The discovery allowed the researchers to create a proof-of-concept (PoC) extension designed to download and execute a file on a victim’s computer.
The extension would create a fake device instance to generate a QR code that could be used for pairing with the browser, and then simulate a file transfer to deliver a malicious payload to the victim’s browser.
According to Guardio Labs, the attack required interaction from the user, but the obstacle could easily be overcome using social engineering: the user would be presented with a “Thank you” message for installing the extension and a click anywhere on the screen would trigger the payload execution.
In practice, an attacker could create a nefarious extension, trick the victim into installing it, and have malicious code executed on their systems in less than a second, on either Windows or macOS, Guardio Labs says.
Impacting the Opera and Opera GX browsers on both Windows and macOS, the issue was resolved in November 2023 on the server side. According to Guardio Labs, no evidence of in-the-wild exploitation of this vulnerability was found.
Responding to a SecurityWeek inquiry, Opera confirmed that it was made aware of the vulnerability on November 17 and that a fix was deployed by November 22.
“Our current structure uses an HTML standard, and is the safest option that does not break key functionality. After Guardio alerted us to this vulnerability, we removed the cause of these issues and we are making sure that similar problems will not appear in the future. It’s also important to note that we use manual review in our add-ons store, ensuring that any malicious extensions are detected and black-listed before reaching users,” Opera said.