Connect with us

Hi, what are you looking for?



Remote Code Execution Vulnerability Found in Opera File Sharing Feature

A vulnerability in an Opera browser feature for sharing files between devices could have led to remote code execution (RCE), threat protection firm Guardio Labs reports.

A vulnerability in an Opera browser feature for sharing files between devices could have led to remote code execution (RCE), threat protection firm Guardio Labs reports.

The impacted feature, My Flow, allows users to easily exchange messages and files between desktop and mobile devices, by simply scanning a QR code using Opera’s mobile application.

Once the code is scanned, users are presented with a chat-like interface that allows them to immediately execute the shared files, which is convenient for users, but also exposes them to security risks.

“This indicates that the webpage context can somehow interact with a system API and execute a file from the file system, outside the browser’s usual confines, with no sandbox, no limits,” Guardio Labs notes in a blog post.

Starting from this hypothesis, Guardio Labs’ security researchers started digging into the architecture, development, and security protocols Opera uses to identify any issues that could be exploited maliciously.

During their investigation, the researchers discovered that the My Flow feature uses a built-in browser extension, namely ‘Opera Touch Background’, which possesses broad permissions, albeit the browser implements numerous restrictions and security checks to prevent code injection attacks and other types of malicious abuse.

One of these security mechanisms ensures that only web resources under declared domains can communicate with the underlying extension, and only using a specific API. Even if an attacker could manipulate such a resource to add their own script, they would also have to bypass a hash value check.

However, Guardio Labs discovered that there were several versions of the My Flow landing page laying around, some of them a few years old and lacking the more recent security checks.

Advertisement. Scroll to continue reading.

“This is exactly what an attacker needs — an unsafe, forgotten, vulnerable to code injection asset, and most importantly — has access to (very) high permission native browser API,” Guardio Labs notes.

The discovery allowed the researchers to create a proof-of-concept (PoC) extension designed to download and execute a file on a victim’s computer.

The extension would create a fake device instance to generate a QR code that could be used for pairing with the browser, and then simulate a file transfer to deliver a malicious payload to the victim’s browser.

According to Guardio Labs, the attack required interaction from the user, but the obstacle could easily be overcome using social engineering: the user would be presented with a “Thank you” message for installing the extension and a click anywhere on the screen would trigger the payload execution.

In practice, an attacker could create a nefarious extension, trick the victim into installing it, and have malicious code executed on their systems in less than a second, on either Windows or macOS, Guardio Labs says.

Impacting the Opera and Opera GX browsers on both Windows and macOS, the issue was resolved in November 2023 on the server side. According to Guardio Labs, no evidence of in-the-wild exploitation of this vulnerability was found.

Responding to a SecurityWeek inquiry, Opera confirmed that it was made aware of the vulnerability on November 17 and that a fix was deployed by November 22.

“Our current structure uses an HTML standard, and is the safest option that does not break key functionality. After Guardio alerted us to this vulnerability, we removed the cause of these issues and we are making sure that similar problems will not appear in the future. It’s also important to note that we use manual review in our add-ons store, ensuring that any malicious extensions are detected and black-listed before reaching users,” Opera said.

Related: Password-Stealing Chrome Extension Demonstrates New Vulnerabilities

Related: Dozens of Malicious Extensions Found in Chrome Web Store

Related: Chrome and Its Vulnerabilities – Is the Web Browser Safe to Use?

Written By

Ionut Arghire is an international correspondent for SecurityWeek.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.