Opera, a popular Chromium-based browser, was found to have a vulnerability that would allow hackers to install virtually any file on Windows and macOS operating systems.
The vulnerability was discovered by cybersecurity researchers at Guardio Labs, who notified the browser's developers and helped plug the hole.
In its white paper, Guardio Labs explained that the failure was due to a feature built into the browser, called My Flow. This is a feature built into a browser extension called Opera Touch Background, which comes pre-installed with the browser and technically cannot be removed.
Abuse a landing page
My Flow allows users to take notes and share files between the desktop and mobile versions of the browser. There is a trend among software developers to allow users to seamlessly transition between desktop and mobile solutions for both work and play. In this case, however, the feature came at the cost of security.
“The chat-like interface adds an “OPEN” link to any message with an attachment, allowing users to immediately launch the file from the web interface,” the researchers explain. “This indicates that the web page context can somehow interact with a system API and execute a file from the file system, outside the usual confines of the browser, without sandboxing or limits.”
The second important factor is the fact that other specific web pages, as well as extensions, can connect to My Flow. When Guardio Labs researchers found a “long-forgotten” version of the My Flow homepage on the domain web.flow.opera.com, they apparently struck gold.
“The page itself is quite similar to what is currently being produced, but there are changes under the hood: not only does it lack the [content security policy] meta tag, but also contains a script tag that requests a JavaScript file without any integrity checks,” the company said.
“This is exactly what an attacker needs: an asset that is insecure, forgotten, vulnerable to code injection and, most importantly, has access to a native browser API with (very) high permissions.”
Consequently, a threat actor could create an extension that poses as a mobile device that the victim's computer can connect to. They can then place encrypted malicious code through the modified JavaScript file and have the user execute it simply by clicking anywhere on the screen.
Via TheHackerNews