Security Flaw Discovered in Opera Browser Exposes Vulnerability for Remote Code Execution
Recent revelations from cybersecurity experts have brought to light a significant vulnerability in the Opera web browser that has since been patched. This flaw, known as MyFlaw, could allow malicious actors to execute code on Microsoft Windows and Apple macOS systems by leveraging a feature designed for syncing messages and files between mobile and desktop platforms.
The MyFlaw vulnerability exploits the “My Flow” feature within Opera, developed to facilitate file and message transfer seamlessly across devices. Researchers from Guardio Labs, who uncovered this security gap, explained that the vulnerability works by bypassing the browser’s sandbox using a controlled extension. This allows attackers to run arbitrary code on the user’s operating system—a severe breach of security protocols.
The vulnerability affects not only the standard Opera browser but also its gaming-oriented counterpart, Opera GX. The issue was disclosed responsibly on November 17, 2023, and subsequently addressed in updates released on November 22, 2023. Notably, the vulnerability’s nature reflects a growing trend of browser-based threats, emphasizing how complex and varied attack vectors can be for cybercriminals.
My Flow utilizes a chat-like interface to exchange notes and files, permitting the opening of files in a web browser. Unfortunately, this functionality creates a pathway for executing files outside of the browser’s security restrictions. The internal browser extension, known as “Opera Touch Background,” manages communication between devices, further complicating the security framework.
In examining the technical foundations of the vulnerability, it was noted that the extension employs a manifest file that defines its permissions, including which external web pages may interact with it. Domains like “*.flow.opera.com” and “.flow.op-test.net” have been specifically permitted, but relying on such permissions presents risks, as highlighted in Google’s documentation regarding messaging APIs.
Guardio Labs also discovered a legacy version of the My Flow landing page revealing critical security shortcomings, such as missing content security policies and vulnerability to script injections. These historical oversights can be exploited to execute attacks by creating deceptively benign browser extensions that connect with victim devices to transmit harmful payloads.
The attack vector profoundly showcases potential MITRE ATT&CK tactics, including initial access and privilege escalation. By disguising as a paired mobile device, an attacker could craft an extension to transgress boundaries set by browser security, illustrating the ease with which adversaries can manipulate these interconnected systems at scale.
As cyber threats evolve, guarding against such vulnerabilities necessitates enhanced internal policies and security protocols. Opera has acknowledged the issue and has acted swiftly to resolve the vulnerability. In a recent statement, the company affirmed its commitment to enhancing security and preventing recurrence of similar problems by refining the infrastructure and user protections.
Cybersecurity experts underline the importance of adaptive measures in the face of complex and sophisticated threats. The MyFlaw incident reinforces the critical need for ongoing vigilance and collaboration among industry leaders and researchers to ensure the safety of users navigating the digital landscape.
