"We are 'quite confident' the flaw was never exploited in the wild," Opera said in its advisory — even as researchers demonstrated a zero-click path that rebuilt a signed-in user's full Gmail address within seconds of a single page visit.
How GX mods became a universal channel
Opera GX lets users install "GX Mods" — .crx packages that reskin the browser with sounds, themes, wallpapers and CSS that restyles the sites you visit. By design, these mods cannot run JavaScript and carry no permissions. The risk discovered by researchers was not code execution or elevated privileges; it was the way Opera automatically downloads and enables a mod with no approval prompt. A hidden iframe pointed at a .crx can trigger an install silently, and the only immediate feedback is a small notification bar under the address bar with a Remove button.
From styling to data theft: the universal CSS injection
Because a mod's CSS is applied to every site the browser opens, an attacker-controlled mod can carry a "universal CSS injection" that follows a user across domains. Ordinary CSS injections are confined to the page that received them; here the styling reaches every page the browser loads. CSS cannot itself exfiltrate data, but researchers used attribute selectors and image fetches to turn style rules into a cross-site leak (an "XS-Leak").
The proof of concept targeted a Google account page, myaccount.google.com/contactemail, which exposes a Gmail address inside HTML attributes. The researchers packed a mod with roughly 150,000 CSS rules — each testing for specific three-letter sequences — and used tiny conditional background-image requests to an attacker server to learn the address one piece at a time. A prior attempt using four-letter pieces required 5.6 million rules and about 880 MB of CSS, which made the browser choke; the three-letter approach was compact enough to work.
What the attack looked like in practice
The sequence the researchers showed runs in seconds. A victim visits an attacker page; the hidden iframe makes the .crx install; a few lines of JavaScript on the attacker page then redirect the browser to the Google account page while the mod's CSS is already active. The CSS fires conditional requests during page rendering and leaks characters back to the attacker's server before the victim can reasonably read and click the Remove button. In the demo the researchers reconstructed a signed-in user's full Gmail address with no click required. They also documented a second effect: loading a .crx while in private (Incognito) mode crashes the browser and dumps every open tab — an issue that affects regular Opera as well as Opera GX. Opera's advisory fixes the data-theft pathway but does not mention the crash.
Opera's response, the bug bounty, and the triage story
Opera shipped a patch for Opera GX in build 130.0.5847.89; users on a current build can confirm their version at opera://about. There is no CVE associated with the bug. Opera's bug bounty team rated the issue P1, its top severity, and paid the program maximum of $5,000. The report did not reach that level immediately: triage analysts on Bugcrowd initially rated it P3. The researchers made a stark demonstration during reproduction — they rebuilt a triage analyst's Gmail address and pasted it into the report — after which Opera raised the severity to P1 and issued the $5,000 critical-tier award.
What this means for technologists, end users, and bounty programs
- Technologists and security teams: The lesson is about "reach" rather than traditional privileges — a seemingly harmless styling feature that applies globally can be repurposed for data exfiltration. Auditability of UI-driven install flows and cross-page styling deserves scrutiny.
- End users and gamers: There was no practical workaround short of the patch because the install required no clicks or approvals; updating to Opera GX version 130.0.5847.89 is the only mitigation the advisory lists.
- Bug bounty programs and triage analysts: The episode underscores how reproductions can be subtle and why exploitability merits careful, hands-on testing; an initial P3 rating was reversed only after an explicit, personalized demonstration.
Opera characterizes the attack as complicated — the victim must land on a malicious page, receive a fresh mod and remain exposed long enough for a redirect to fire — and the company says it found no evidence of exploitation in the wild. The researchers' demo, however, showed that silent installation plus universal CSS rules can extract values with zero clicks and a time window measured in seconds. Opera has patched the data-theft vector in Opera GX 130.0.5847.89; the advisory does not address the private-mode crash the researchers also reported. That unanswered detail is a concrete next step for both auditors and the vendor.




