Opera Browser Zero-Day RCE Vulnerability on Cross-Platforms

Opera’s Zero-Day RCE: It’s not a soap opera, but it sure has drama. Grab your popcorn and secure your browser!

In a recent investigation by the Guardio Labs research team, a significant zero-day vulnerability surfaced within the popular Opera web browser family. This flaw, allowing attackers to execute malicious files on Windows or MacOS systems (cross-platform) through a specially crafted third-party browser extension, brings attention not just to Opera’s susceptibility but also highlights broader challenges in contemporary browser security. 
在Guardio Labs研究团队最近的一项调查中,流行的Opera Web浏览器家族中出现了一个重大的零日漏洞。这一漏洞允许攻击者通过特制的第三方浏览器扩展在Windows或MacOS系统(跨平台)上执行恶意文件,不仅引起了人们对Opera敏感性的关注,还凸显了当代浏览器安全面临的更广泛挑战。


Upon promptly disclosing this finding to Opera’s team, their swift response underscores the critical collaboration between security researchers and browser developers in safeguarding users. This article delves into the intricacies of the research process, the identified vulnerability, and the ongoing efforts to fortify digital experiences against the constantly evolving landscape of cyber threats. 


Technical Deep Dive: Opera “MyFlaw” Vulnerability


My Flow and the Opera Touch Background Extension
My Flow和Opera Touch背景扩展


Moving from the realm of Opera’s My Flow to the discovery of the RCE Flaw, the My Flow feature captures attention for its smooth operation in facilitating note-taking and file sharing between desktop and mobile devices via the Opera browser. The process involves a simple QR code scan using Opera’s mobile app, opening up a chat-style interface that effortlessly handles the exchange of messages and files.  
从Opera的My Flow到RCE缺陷的发现,My Flow功能因其通过Opera浏览器在桌面和移动的设备之间方便笔记和文件共享的流畅操作而备受关注。这个过程包括使用Opera的移动的应用程序进行简单的QR码扫描,打开一个聊天风格的界面,轻松处理消息和文件的交换。


Yet, from a cybersecurity standpoint, a notable concern arises. The chat-like interface introduces an “OPEN” link to any message containing an attached file, allowing users to directly execute the file from the web interface. This suggests a potential interaction between the webpage context and the system API, enabling the execution of a file from the file system outside the usual browser constraints, devoid of a sandbox and limits. 


Opera, like many contemporary browsers, is constructed on the Chromium open-source project, sharing core code, capabilities, and design. To distinguish itself and offer unique features, Opera leverages Chromium’s built-in customization options, including built-in browser extensions. 


These built-in extensions augment functionality and introduce new features. However, a crucial distinction lies in the fact that built-in extensions come pre-installed, cannot be disabled or controlled, and may possess broader capabilities and permissions. 


For those curious about these extensions, a peek into their workings is feasible through the browser’s dev tools. You can explore the inner workings of your browser by navigating to opera://inspect and selecting “Extensions.” 

Opera Browser Zero-Day RCE Vulnerability on Cross-Platforms

The built-in “Opera Touch Background” extension from the Opera Inspect Window
Opera Inspect窗口中内置的“Opera Touch Background”扩展


The unique My Flow feature relies on the Opera Touch Background extension to handle all its internal operations. Like any typical extension, it incorporates a manifest file that outlines permissions and capabilities. Notably, the file includes an “externally_connectable” declaration:
独特的My Flow功能依赖于Opera Touch Background扩展来处理其所有内部操作。像任何典型的扩展一样,它包含一个清单文件,概述了权限和功能。值得注意的是,该文件包含一个“externally_connectable”声明:


"externally_connectable": { 
    "matches": [ 


This declaration signifies that only web resources within the specified domains can communicate with the extension. The interaction occurs through the chrome.runtime.connect API, providing the webpage with access to all the declared handlers within this robust extension. The below were special capabilities discovered for MyFlow:
此声明表示只有指定域中的Web资源才能与扩展通信。交互通过Chrome.runtime.connect API进行,为网页提供对这个健壮扩展中所有声明的处理程序的访问。以下是为MyFlow发现的特殊功能:

port.onMessage.addListener(data => {
    switch (data.type) {
      case 'GET_PAIRING_TOKEN':
        wrapResponse(this.getPairingToken(data.value), data);
      case 'GET_DEVICES':
        wrapResponse(this.getConnectedDevices(true), data);
      case 'OPEN_FILE':
        wrapResponse(this.openFile(data.localFileName), data);
      case 'SEND_FILE':
                data.name, data.content, data.file_type, data.preview,
                data.messageId, data),
   case 'DOWNLOAD_FILE':
                      data.url, data.name, data.iv, data.messageId, data),

The Guardio Labs research team investigated the OPEN_FILE code and discovered that it eventually accesses a native private API inside the browser’s core object: opr.operaTouchPrivate.openFile(String filename)
Guardio Labs研究团队调查了OPEN_FILE代码,发现它最终访问浏览器核心对象内部的本地私有API:opr.operaTouchPrivate.openFile(字符串文件名)。


Similarly, the DOWNLOAD_FILE function creates a file at a specified place on the local operating system, particularly under the ~/Downloads/MyFlow/ directory. 


Opera Browser Zero-Day RCE Vulnerability on Cross-Platforms

Opera Browser My Flow Architecture
Opera浏览器My Flow架构


Possible Attack Scenarios 


When considering possible scenarios, the group anticipates a substantial attack vector: uncovering a way to execute certain handlers might allow for the download and execution of any payload without needing user involvement on the targeted machine. This reveals a powerful attack vector with significant harmful potential. 


To tackle this challenge, the initial goal was to identify a pathway for running controlled code within the declared domains under opera.com. This exploration involves navigating the complexities of invoking handlers, setting the stage for a nuanced and potentially impactful series of actions. 


The Guardio Labs research team highlights that DOWNLOAD_FILE and OPEN_FILE handlers are only accessible to resources within Opera-controlled domains, serving as a security safeguard. Cross-site scripting (XSS) was initially identified as a potential exploitation method, but since the webpage is fortified against XSS vulnerabilities, alternative tactics must be investigated. 
Guardio Labs研究团队强调,DOWNLOAD_FILE和OPEN_FILE处理程序只能访问Opera控制域中的资源,作为安全保障。跨站脚本(XSS)最初被确定为一种潜在的利用方法,但由于该网页已针对XSS漏洞进行了强化,因此必须研究替代策略。


Injecting Code Via Extension Manipulation


The team envisions a more direct approach involving a typical extension with general permissions, comparable to widely adopted tools like ad blockers. Once integrated into the browser, such an extension could potentially inject code into designated URLs, notably pages originating from flow.opera.com. 


The team tried a variety of ways to inject code into the pages, as shown below:

  • Calling chrome.tabs.executeScript using the extension API, which will inject and execute a script. Opera’s security policy, which prevents extensions from running code on their Store pages, thwarted this attempt.

  • An alternative approach is using WebRequest or DeclarativeNetRequest APIs to manipulate requests on a targeted domain. The method involves altering a page’s request for a specific resource, such as a JavaScript file.
    另一种方法是使用WebRequest或DeclarativeNetRequest API来操作目标域上的请求。该方法涉及更改页面对特定资源(如JavaScript文件)的请求。


Bypassing CSP/SRI in an Unexpected Manner


During the analysis carried out by the group on the *.flow.opera.com domain family, a critical infrastructure for various Opera products, potential vulnerabilities have been unearthed. Through the use of urlscan.io, a security tool, this group delved into the domain’s history and uncovered persistent HTML pages. 
在该小组对 *. flow.opera.com域家族(各种Opera产品的关键基础设施)进行分析期间,发现了潜在的漏洞。通过使用安全工具urlscan.io,该小组深入研究了域名的历史记录,并发现了持久的HTML页面。


A historical version of a landing page, dating back over two years, lacked crucial security measures now present in the current version. These missing safeguards included the CSP meta tag, and contains a script tag without any integrity check (no SRI).
一个登陆页面的历史版本,可以追溯到两年多前,缺乏目前版本中存在的关键安全措施。这些缺失的保护措施包括CSP Meta标记,并包含一个没有任何完整性检查的脚本标记(没有SRI)。

Opera Browser Zero-Day RCE Vulnerability on Cross-Platforms

URLscan Results — urlscan.io [Image Courtesy: Guardio Labs]
URL扫描结果-urlscan.io [图片来源:Guardio Labs]


The external group emphasized the significance of this finding by stating:

“This is exactly what an attacker needs — an unsafe, forgotten, vulnerable to code injection asset, and most importantly — has access to (very) high permission native browser API!” 

Simulating “My Flow” to Send Malicious Payload


The team utilized the extension itself to simulate the part of sending the payload using the My Flow application, as they both use the same endpoint under flow.opera.com. They took the following steps:
该团队利用扩展本身来模拟使用My Flow应用程序发送有效负载的部分,因为它们都使用flow.opera.com下的相同端点。他们采取了以下步骤:


1. Create a Fake Device Instance:

  • Make a request to flow.opera.com/v1/devices using the extension, including fabricated information about a mobile device and a public key for encrypting the payload.

  • Upon completion, you will be provided with a DEVICE ID and TOKEN.


2. Request Pairing Token:

  • Utilize the GET_PAIRING_TOKEN handler to request a pairing token from the browser.

  • Acquire a QR code value for the purpose of pairing.


3. Connect and Pair Devices:

  • Send data to https://flow.opera.com/v1/connect-devices to connect the fake device and pair it with the browser.


4. Encryption of Malicious Payload:

  • Encrypt the malicious payload using the keys exchanged earlier during device creation.


5. Generate the malicious file:

  • Utilize the SEND_FILE handler that the browser uses for file transfers from mobile devices.

  • Utilize the interesting side effect of this handler: it saves a copy of the sent file in the same folder where MyFlow downloads files.

6. Execution of the malicious file:

  • Trigger the OPEN_FILE call to execute the file from the local storage of the infected browser’s operating system.

Opera Browser Zero-Day RCE Vulnerability on Cross-Platforms

Exploiting SEND_FILE functionality


Final Challenge: Transitioning from Zero to One Click


The research team discovered a last stumbling block in their process: a permissions barrier for the FILE_OPEN function, which required a certain context for the operation to occur. Their investigation of the My Flow API found that initiating the OPEN_FILE action requires a click event, resulting in a shift from a zero-click to a one-click attack scenario. Despite its lessened strength, the researchers discovered that a one-click assault was remarkably simple to design, needing just a user click anywhere on the screen.
研究团队发现了他们过程中的最后一个绊脚石:FILE_OPEN函数的权限障碍,它需要特定的上下文才能进行操作。他们对My Flow API的调查发现,启动OPEN_FILE操作需要一个单击事件,导致攻击场景从零次单击转变为一次单击。尽管它的强度有所减弱,但研究人员发现,一键攻击的设计非常简单,只需要用户点击屏幕上的任何地方。


The team took advantage of the fact that users had previously installed the extension, disguised as an ad blocker, by using the familiar “Thank you for installing” screen that usually comes with new extensions. They injected code into this tab and modified it to seem like a Thank you page, encouraging the user to click wherever to perform the desired action. This simple but efficient strategy demonstrated the team’s capacity to navigate and overcome obstacles throughout their research activities.


MyFlaw Exploit: A Complete POC Attack Flow on Opera
MyFlaw Exploit:Opera上的完整POC攻击流程


Let’s take a look at a thorough Proof of Concept (POC) attack sequence to see how an attacker may exploit the newly found vulnerability in Opera. This vulnerability has the potential to install malicious payloads on a large number of users’ computers worldwide.

  1. Extension Installation (Disguised Entry)

    1. An attacker distributes a browser extension masquerading as an AdBlocker (or similar “useful” software), enticing widespread daily installations.

    2. The extension gains the necessary permissions, specifically DeclerativeNetRequest, which allows malicious payloads to be substituted for script requests.

  2. Handler Trigger (Automatic Trigger)
    自动触发器(Automatic Trigger)

    1. After being installed, the OnInstalled handler initiates the opening of a vulnerable page from flow.opera.com in a newly created tab.

  3. Code Injection 代码注入

    1. Crafted JavaScript code is injected into the opened page, subtly altering its appearance and allowing for interaction with the Opera Touch Extension.
      精心制作的JavaScript代码被注入到打开的页面中,巧妙地改变了它的外观,并允许与Opera Touch Extension进行交互。

  4. Simulated Mobile Device Pairing

    1. The injected code simulates a mobile device pairing with the browser and transfers a malicious file to the system.

  5. Code Execution 代码执行

    1. The user is prompted to click, which initiates the execution of the transferred malicious file and ends the attack flow in less than a second.

Opera Browser Zero-Day RCE Vulnerability on Cross-Platforms

Opera Exploit Workflow Opera漏洞利用工作流程


The exploit, as demonstrated in the proof-of-concept run, achieves rapid file execution on the target operating system (Windows or MacOS) in seconds, highlighting its alarming malicious potential.


Conclusion 结论


In conclusion, the MyFlaw vulnerability served as a stark reminder of the ever-evolving landscape of cyber threats. It exposed a critical security flaw within a popular browser extension, potentially impacting millions of users worldwide. However, this discovery also exemplifies the power of responsible security research and collaboration.


The rapid disclosure of Gaurdio Labs’ findings with Opera’s security team and their prompt reaction to providing a fix highlight the value of open communication and quick action in minimizing vulnerabilities. It reinforces the need for ongoing collaboration between security researchers and browser developers to fortify digital experiences against emerging security risks. As users, developers, and security professionals, staying vigilant and proactive in addressing such vulnerabilities is crucial for maintaining a secure online environment.
Gaurdio Labs与Opera安全团队的调查结果的迅速披露以及他们对提供修复程序的迅速反应,突出了开放式沟通和快速行动在最大限度地减少漏洞方面的价值。它强调了安全研究人员和浏览器开发人员之间持续合作的必要性,以加强数字体验,抵御新出现的安全风险。作为用户、开发人员和安全专业人员,保持警惕并积极主动地解决此类漏洞对于维护安全的在线环境至关重要。


References: 参考文献:


原文始发于darkrelay:Opera Browser Zero-Day RCE Vulnerability on Cross-Platforms

版权声明:admin 发表于 2024年2月8日 上午8:31。
转载请注明:Opera Browser Zero-Day RCE Vulnerability on Cross-Platforms | CTF导航