Opera, a popular Chromium-based browser, was found carrying a vulnerability that would allow hackers to install pretty much any file on both Windows and macOS operating systems.
The vulnerability was discovered by cybersecurity researchers from Guardio Labs, who notified the browser’s developers and helped plug the hole.
In its technical writeup, Guardio Labs explained that the flaw stemmed from a feature built into the browser, called My Flow. This is a feature built on a browser extension called Opera Touch Background, which comes preinstalled with the browser and technically can’t be removed.
Abusing a landing page
My Flow allows users to take notes and share files between the desktop and mobile versions of the browser. There is a trend among software developers to allow users a seamless transition between desktop and mobile solutions for both work and play. In this case, however, the feature came at the cost of security.
“The chat-like interface adds an “OPEN” link to any message with an attached file, allowing users to immediately execute the file from the web interface,” the researchers explain. “This indicates that the webpage context can somehow interact with a system API and execute a file from the file system, outside the browser’s usual confines, with no sandbox, no limits.”
The second important factor is the fact that specific, other web pages, as well as extensions, can connect to My Flow. When Guardio Labs’ researchers found a “long-forgotten” version of the My Flow landing page on the web.flow.opera.com domain, they seemingly struck gold.
“The page itself looks quite the same as the current one in production, but changes lie under the hood: Not only that it lacks the [content security policy] meta tag, but it also holds a script tag calling for a JavaScript file without any integrity check,” the company said.
“This is exactly what an attacker needs – an unsafe, forgotten, vulnerable to code injection asset, and most importantly, has access to (very) high permission native browser API.”
Consequently, a threat actor could create an extension that impersonates a mobile device to which the victim’s computer can connect. Then, they can drop an encrypted malicious code via the modified JavaScript file and have the user run it simply by clicking anywhere on the screen.
Via TheHackerNews
