Full Report
Browser extensions have extra capabilities compared to web pages but are still sandboxed from running full code on the system. Extensions have access to some extra APIs but it's still quite restrictive. Some domains and extensions have "special" privileges in the Opera browser, which is the focus of this research. For instance, the Pin add-on quickly takes a screenshot of the page but this requires extra permissions to do. The author decided to see if there were any domains in the list that were no longer registered to Opera. Several domains, such as crypto-corner.op-test.net, were found not to be registered, even though they had access to these APIs. So, the authors of the bought the domains to gain the special privileges that came with them. What can we do these with privileged APIs? The chrome.cookies API can be used to extract all session cookies and hijack user accounts. Additionally, the settingsPrivate allows for changing of various browser settings. An attacker can even change the DNS settings to create a Man in the Middle attack with this. Although, since most things use TLS, I'm not sure if this is very practical. Opera carefully reviews on extensions before adding them to the store. So, the authors were afraid of their bug report being vetoed for this reason. Instead, they found a workaround. Opera allows for Chrome extensions to be used! So, they wrote their proof of concept as a Chrome extension that another user would download. To remediate it, Opera did a few things. First, they removed content scripting on high-permission domains to prevent obfuscation I think. Next, they removed the privileges from some domains entirely. Overall, a fun vulnerability with some clever workarounds. Personally, I found that the article had a surprising order to me which confused me on my initial read though.
Analysis Summary
# Vulnerability: Opera Browser Privileged API Access via Expired/Acquired Domains Exploited by Cross-Browser Extensions
## CVE Details
- CVE ID: Not explicitly mentioned in the provided text. (Likely requires referring to the original research disclosure.)
- CVSS Score: Not explicitly mentioned in the provided text. Severity based on impact suggests High.
- CWE: CWE-264 (Permissions, Privileges, and Access Controls) or related to improper authentication/authorization for privileged APIs.
## Affected Systems
- Products: Opera Browser (Chromium-based).
- Versions: Vulnerable versions prior to the remediation steps detailed by Opera.
- Configurations: Systems where extensions downloaded from the Chrome Web Store can be installed and run within Opera (due to Opera's support for Chrome extensions).
## Vulnerability Description
The vulnerability stemmed from Opera granting special, high-level permissions (access to Private APIs) to specific domains hardcoded into the browser configuration. Researchers discovered that several of these domains, including development domains like `crypto-corner.op-test.net`, were no longer registered to Opera. The researchers acquired these expired domains, thereby inheriting the special privileges associated with them within the browser context.
Once control of these privileged domains was established, malicious extensions (developed as Chrome extensions and loaded into Opera) could execute code contextually within these high-privilege boundaries. This granted unauthorized access to powerful Private APIs, including:
1. `chrome.cookies API`: To extract all session cookies and hijack user accounts.
2. `settingsPrivate API`: To silently modify browser settings, including potentially changing DNS settings to facilitate Man-in-the-Middle (MITM) attacks (though TLS makes the DNS change exploitation less practical).
The attack vector was facilitated by Opera's allowance of Chrome extensions, enabling a "cross-browser-store attack" where a malicious extension placed on the Chrome Web Store could target Opera users.
## Exploitation
- Status: PoC available (Proof of concept developed as a Chrome extension and used successfully against the vulnerability).
- Complexity: Medium (Requires domain acquisition/control technique, plus knowledge of injecting custom code into high-permission contexts via extensions).
- Attack Vector: Local/Adjacent (Relies on the user installing a malicious extension).
## Impact
- Confidentiality: High (Session cookies can be stolen, leading to account hijacking).
- Integrity: High (Browser settings can be modified).
- Availability: Low (No direct Denial of Service mechanism described, though setting changes could impact network reachability).
## Remediation
### Patches
- Opera removed content scripting privileges on the high-permission domains to prevent obfuscation and API access.
- Opera removed the privileges entirely from the misused domains.
### Workarounds
- No specific end-user workarounds were listed, as the vendor implemented fixes. In general, users should only install extensions from trusted sources until patched.
## Detection
- Indicators of compromise would include unexpected modifications to browser settings (especially DNS settings) or mass session cookie exfiltration originating from an extension action.
- Detection would involve scrutinizing extension permissions, though the primary mitigation was vendor-side remediation of domain access rights.
## References
- Vendor Advisory: Opera acknowledged and worked on the fix (Implied by the text).
- Relevant links - defanged:
- Original Research: hxxps://guard.io/labs/crossbarking-exploiting-a-0-day-opera-vulnerability-with-a-cross-browser-extension-store-attack