Bulletins //

Cyber Insights: Opera GX Zero-Click Browser Flaw Could Allow Silent Cross-Site Data Theft

17 July 2026

Overview

A critical vulnerability in Opera GX has been patched after researchers discovered that malicious websites could silently install browser modifications without requiring any user interaction.

The flaw affected Opera GX’s automatic mod installation mechanism, allowing an attacker-controlled website to install a browser mod in the background simply by convincing a user to visit a webpage. Once installed, the modification could apply malicious styling across every website the victim subsequently visited, creating an opportunity to extract sensitive information from authenticated sessions.

Researchers demonstrated that the technique could recover a signed-in user’s Gmail address using a browser-based side-channel attack known as a Cross-Site Leak (XS-Leak). Although arbitrary code execution was not possible, the attack highlighted how seemingly harmless browser customisation features can be abused to compromise user privacy and support more targeted attacks.

Opera has addressed the issue in Opera GX version 130.0.5847.89 and has stated there is currently no evidence that the vulnerability has been exploited in the wild.


What Was the Vulnerability?

The issue centred on the way Opera GX handled the installation of browser mods.

Normally, browser extensions and modifications require some level of user approval before they can be installed. In this case, however, researchers found that a specially crafted website could silently trigger the installation of a GX Mod without displaying prompts, permission requests or confirmation messages.

The victim simply needed to visit a malicious webpage.

Once installed, the browser modification remained active across future browsing sessions, allowing attacker-controlled CSS (Cascading Style Sheets) to influence how websites were rendered inside the browser.

While CSS is typically used to control the appearance of webpages, researchers demonstrated that it could also be manipulated to infer sensitive information from authenticated websites by exploiting browser behaviour rather than directly reading page content.


How the Attack Worked

Unlike many browser attacks that rely on phishing or malicious downloads, this technique required no interaction beyond visiting a compromised website.

Researchers demonstrated an attack chain in which a malicious page silently installed a GX Mod using a hidden iframe. That modification then applied attacker-controlled CSS across every website the user visited afterwards.

Using carefully crafted CSS selectors alongside XS-Leak techniques, the browser was induced to make outbound requests that revealed information one character at a time. Although the attacker could not directly read webpage content, the pattern of those requests allowed sensitive values to be reconstructed.

In their proof of concept, researchers successfully recovered a victim’s authenticated Gmail address. The same technique could potentially expose usernames, account identifiers or other information contained within webpage attributes.


Why This Matters

This vulnerability demonstrates how browser-based attacks continue to evolve beyond traditional malware and malicious extensions.

The most concerning aspect of the research is the absence of user interaction. Because the installation occurred automatically, users were given no opportunity to reject or question the browser modification before it became active.

While the information exposed may appear limited at first glance, data such as email addresses, usernames and account identifiers can provide attackers with valuable intelligence for follow-on attacks, including credential harvesting, account enumeration and highly targeted phishing campaigns.

The research also illustrates how legitimate browser functionality can sometimes be combined in unexpected ways to create entirely new attack techniques.


A Long-Standing Design Weakness

Interestingly, researchers had previously highlighted Opera GX’s silent mod installation behaviour in 2023.

Although Opera addressed an earlier exploit chain involving address bar spoofing, the underlying installation mechanism remained unchanged until this latest disclosure.

This serves as an important reminder that security risks do not always arise from newly introduced vulnerabilities. In some cases, longstanding design decisions can remain exploitable until new research demonstrates previously unknown attack techniques.


Detection & Monitoring Recommendations

Organisations that permit Opera GX within corporate environments should first verify that all installations have been updated to version 130.0.5847.89 or later.

Beyond patching, security teams should monitor for unexpected browser modification events, particularly the installation of new GX Mods or browser extensions that users did not explicitly approve.

Additional investigation may be warranted where analysts observe:

  • Unexpected downloads of .crx files
  • Browser redirects immediately before access to authenticated websites
  • Unusual outbound browser requests
  • Browser crashes associated with mod installation attempts
  • New browser modifications appearing without user interaction

Because the attack relies on browser behaviour rather than traditional malware, endpoint telemetry and browser activity logs may provide the most useful indicators during an investigation.


Recommended Actions

The immediate priority is ensuring Opera GX browsers are updated to the latest patched release.

Organisations should also review whether Opera GX is required within managed enterprise environments, particularly where browser customisation features introduce additional security considerations.

Security teams should consider implementing browser management policies that restrict unauthorised extensions or modifications, while maintaining visibility into browser configuration changes across managed endpoints.

Regular monitoring of browser network activity and endpoint telemetry can also help identify suspicious behaviour associated with future browser-based attacks that may not involve malware execution.


Analyst Assessment

While there is currently no evidence that this vulnerability has been exploited in real-world attacks, it represents a noteworthy development in browser security research.

The combination of zero-click installation, persistent browser modification and CSS-based information disclosure demonstrates how attackers continue to identify creative ways of abusing legitimate browser functionality to bypass conventional security controls.

For defenders, the incident reinforces the importance of keeping browsers fully updated, monitoring for unauthorised browser modifications and recognising that browser security is becoming an increasingly important component of enterprise cyber defence.

As organisations continue to rely on web-based applications for everyday business operations, even seemingly niche browser vulnerabilities have the potential to expose sensitive information that can support wider intrusion campaigns.


How NormCyber MDR Helps Identify Emerging Browser Threats

Modern attacks increasingly target trusted applications that users interact with every day, including web browsers. While vulnerabilities such as this may not deploy traditional malware, they can still expose sensitive information that supports credential theft, phishing and wider compromise. NormCyber’s Managed Detection and Response (MDR) service provides continuous monitoring across endpoints, identities and network activity, helping organisations identify suspicious browser behaviour that could indicate emerging attack techniques.

Our SOC analysts investigate unusual browser modifications, unexpected downloads, abnormal outbound connections and suspicious authentication activity that may signal an attacker attempting to harvest credentials or profile users. By combining endpoint telemetry with behavioural analytics and expert threat hunting, NormCyber MDR helps organisations detect sophisticated attacks that traditional signature-based security tools may overlook.


Sources

Primary:
https://zhero-web-sec.github.io/research-and-things/one-trigram-at-a-time-xsleak-via-universal-css-injection-and-dos-in-opera-(gx)


Secondary:
https://thehackernews.com/2026/07/opera-gx-flaw-let-malicious-sites-auto.html