
A flaw in the Opera GX browser lets malicious web pages install customisation mods without any user interaction, opening the door to silent data theft according to Infosecurity Magazine.
The vulnerability was highlighted by security researchers who demonstrated how a malicious page could silently install a mod and then read data from other tabs.
The flaw leverages a universal CSS injection combined with an xsleak technique that triggers the automatic download and activation of a modification package as demonstrated by the researcher.
Once active, the mod’s stylesheet can be injected into every open tab, allowing the attacker to harvest information such as a user’s Gmail address or other login details.
In addition, the same vector can be used to crash the browser when running in incognito mode, creating a denial‑of‑service condition.
Opera was notified of the issue in February, and the bug was initially triaged as low priority according to The Hacker News.
After further analysis the vendor re‑graded it as critical, released a patch in May and awarded a $5 000 bounty to the finder.
No CVE identifier has been assigned to the flaw.
To date no threat‑actor group has been linked to the vulnerability and there is no public indication that it has been exploited in the wild.
However, the proof‑of‑concept shows that a seemingly benign website could silently install a mod and then harvest data from other open tabs without any user action.
This highlights the privacy risk inherent in browser‑based modification systems that trust content from arbitrary origins.
Users should install the Opera GX update released after May, which contains the fix for the CSS injection issue.
They should also review the list of installed mods and remove any that they do not recognise or that were added without explicit consent.
Disabling automatic mod installation from unknown sources or using a dedicated browser profile for banking and email can limit exposure.
Monitoring for unexpected crashes, sudden CPU spikes or unfamiliar network connections may help detect an attempted exploit.
Until the patch is applied, treating any unfamiliar site as potentially hostile and restricting mod use to trusted sources remains the safest approach.
Applying defence‑in‑depth, such as keeping the browser sandbox enabled and using content‑security‑policy headers where possible, adds another layer of protection.