HackMyIP
← Back to News
2026-07-06 The Hacker News

Opera GX Flaw Let Sites Silently Steal Data via Mod Auto-Install

VulnerabilityBug BountyPrivacy

A serious vulnerability in Opera GX, the gaming-focused browser from Opera, allowed a malicious website to silently install a browser modification and use it to extract sensitive data from any page the victim visited. Researchers demonstrated that the flaw could reconstruct a signed-in user's full Gmail address from a single visit, with no clicks or approval prompts required. Opera confirmed the issue, shipped a fix in Opera GX version 130.0.5847.89, and stated it found no evidence of in-the-wild exploitation, though no CVE was assigned. The Opera bug bounty team rated the issue P1, its highest severity, and awarded the maximum $5,000 payout.

The root cause lies in how Opera GX handles GX Mods, the browser's reskinning add-ons for themes, sounds, and CSS restyling. Unlike standard extensions, mods ship as .crx files without JavaScript or permissions, which should make them harmless. However, Opera's mod pipeline automatically downloads and enables any mod triggered by a webpage, with no approval prompt. A malicious site can trigger this simply by loading a hidden iframe pointing at a .crx file, leaving only a small notification bar below the address bar as evidence. This auto-install behavior was first flagged by researcher Renwa in 2023, who escalated an installed mod into a full extension to spoof the browser's address bar; Opera patched that specific attack in March 2023 but left the underlying mechanism in place, which this new research builds on.

The real danger emerges from what mods can do with CSS. A mod's stylesheet is applied universally across every site the browser visits, not just the page that triggered installation, creating what the researchers call a universal CSS injection. While CSS alone cannot exfiltrate data, it can leak values one character at a time using attribute selectors, a rule can test whether an element's attribute value begins with a specific letter, fetching a background image from an attacker-controlled server only when the condition matches. Repeated thousands of times, this XS-Leak (cross-site leak) technique can reconstruct sensitive strings character by character. In their proof of concept, the researchers targeted myaccount.google.com/contactemail, which exposes the user's address in three HTML attributes, packing the mod with roughly 150,000 CSS rules to piece the data together, a method that highlights how exposed browser-level attributes can be, something a browser fingerprint test can help users evaluate.

For users concerned about similar data-leakage vectors in their own browsing, running a quick privacy checkup can reveal how much information their browser silently exposes to the sites they visit. Anyone worried about whether their email address has been exposed through similar side-channel attacks can also use an email breach checker to verify their exposure. With the patch now deployed in Opera GX 130.0.5847.89, the immediate risk is mitigated, but the research underscores a recurring lesson: any mechanism that auto-installs or auto-enables browser content without explicit consent can be weaponized, and the line between cosmetic add-ons and powerful data-extraction primitives is far thinner than it appears.

Source: The Hacker News →

Related Tools

Check whether this kind of story affects you — free, no signup:

Browser Fingerprint →Privacy Checkup →Email Breach Check →

Related Guides

Learn the background behind this story:

What is a VPN? →How websites track you →Browser fingerprinting explained →