Skip to main content
Emerging ThreatsMalware & Ransomware

Opera GX Flaw Enables Sites to Auto-Install Malicious Mods

Laptop screen shows generic browser homepage with subtle hint of malicious mod installation in background.

A $5,000 bounty and a May 8 patch followed discovery of a critical flaw in the Opera GX browser that let websites install a customization mod silently and then use that mod to siphon data from other sites a user visited.

How GX Mods could install themselves without a prompt

GX Mods — the Opera GX feature that lets users customize a browser's appearance, sounds and the look of websites — are designed to carry no permissions and to be unable to run JavaScript. An independent security researcher operating under the name zhero_web_security found that a mod nevertheless installs automatically as soon as its file is downloaded, with no user prompt.

Because a mod file is treated as an installer on download, an attacker only needs to load a hidden frame pointing to that file to plant the mod on a victim's machine. Once present, a mod's styling is applied to every page and every tab the user opens, giving the attacker a cross-site insertion point that ordinary, single-page CSS injections do not provide.

Cross-site leaks: using CSS to exfiltrate data including a Gmail address

CSS itself cannot read the textual contents of a page directly, but it can be shaped to cause network requests conditionally based on what the page contains. The researcher exploited that behavior to construct a zero-click cross-site leak, known as an XS-Leak, which recovered a victim's full Gmail address after a silent redirect to a Google account page.

Because the malicious stylesheet applied across every page and tab, the attacker's CSS could be used to extract pieces of information from multiple origins over time. The researcher noted the XS-Leak method is not inherently limited to email addresses; the same approach could be adapted to leak other values discoverable through conditional resource requests triggered by CSS.

Denial-of-service triggered by private browsing and .crx files

The same auto-install behavior produced a separate, disruptive outcome. Chromium-based browsers block extensions in private (Incognito) windows; forcing a mod installation attempt while in that mode caused Opera and Opera GX to crash and to wipe the user's open tabs. Any file with a .crx extension triggered the crash condition, whether or not it was a valid mod package.

That combination—an automatic install attempt and an Incognito-mode block—turned a cosmetic customization feature into a vector for denial-of-service against the browser's current session.

Timeline: discovery, reporting through Bugcrowd, reassessment, patch and disclosure

The researcher reported the issue in February through Opera's Bugcrowd bug bounty program. Initially the report was triaged as a low-priority issue, but Opera's security team later reassessed the risk as critical. Opera patched the vulnerability on May 8 and paid a $5,000 bounty.

The research was published on July 3 as a proof of concept. The published work was tested on Opera GX version 127.0.5778.41 after the fix had shipped, according to the researcher.

What this means for security teams, enterprises, and end users

  • Security teams: Review how browsers treat downloaded mod and extension files and whether automatic install behavior is possible in enterprise configurations. Pay attention to styling-based attack surfaces where CSS can be used to trigger network requests for exfiltration.
  • Enterprises and procurement leaders: Track patch timelines and triage decisions — this case shows an issue originally triaged low but later escalated to critical. Ensure update policies push fixes like the May 8 patch to users running affected client versions such as Opera GX 127.0.5778.41.
  • End users: Install updates. Opera issued a fix and the researcher tested the PoC against a patched build; keeping Opera GX current removes the auto-install vector that the PoC exploited.

Opera's reassessment and the subsequent patch closed the specific vector the researcher demonstrated: an automatically installed GX Mod used as a persistent, cross-site styling injector that enabled XS-Leaks and a session-wiping crash in private mode. The researcher's proof of concept, published after the patch and tested on the fixed version, shows how stylistic features can become functional attack surfaces when download-and-install behavior is automatic and cross-tab styling is global.

Original report