What is the 'CrossBarking' vulnerability in the Opera browser?

'CrossBarking' is a security vulnerability in the Opera web browser that allowed malicious extensions to gain unauthorized access to private APIs. This vulnerability could enable attackers to hijack accounts, steal session cookies, and manipulate DNS settings.

When was the CrossBarking vulnerability patched in Opera?

The CrossBarking vulnerability was patched by Opera on September 24, 2024, in collaboration with cybersecurity researchers from Guardio Labs who initially discovered the flaw.

How did the CrossBarking vulnerability affect Opera users?

The vulnerability allowed malicious extensions, especially those installed from third-party stores like the Chrome Web Store, to bypass Opera's security controls. Attackers could potentially capture screenshots, steal session cookies, and alter DNS-over-HTTPS settings.

What steps did Opera take to resolve the CrossBarking vulnerability?

Opera collaborated with Guardio Labs to patch the vulnerability and remove privileges that allowed third-party domains to access private APIs. Opera is also reviewing its web app architecture to prevent similar vulnerabilities in the future.

How can Opera users protect themselves from vulnerabilities like CrossBarking?

Opera users are advised to keep their browser updated, install extensions only from Opera's Add-ons Store (which manually reviews extensions), and exercise caution when installing third-party extensions, particularly from sources like the Chrome Web Store.

Did CrossBarking have a CVE identifier?

No, the CrossBarking vulnerability did not have a CVE identifier.

What role did Guardio Labs play in identifying and addressing the CrossBarking vulnerability?

Guardio Labs discovered the CrossBarking vulnerability and reported it to Opera. They also created a proof-of-concept demonstration showing how a seemingly harmless extension could exploit this vulnerability if downloaded from the Chrome Web Store.

Does Opera offer a bug bounty program for security vulnerabilities?

Yes, Opera encourages responsible disclosure of security vulnerabilities and offers a bug bounty program to enhance the security of its browser.

Advisory

Opera Browser fixes flaw dubbed "Cross Barking" allowing malicious extensions to access private APIs

published: Nov. 4, 2024

Take action: This is a scary variation on a common risk theme - browser plugins and malicious actions. This one is specific to Opera and Chrome extensions which are compatible with Opera but not thoroughly checked by Google. Update your Opera browse and practice installing extensions from Opera's vetted Add-ons Store, avoid third-party extensions where possible.

Learn More

Opera reports they have resolved a security vulnerability in its web browser, known as “CrossBarking,” which allowed malicious extensions to gain unauthorized access to private APIs.

The vulnerability, identified by cybersecurity researchers at Guardio Labs, was patched on September 24, 2024. It potentially enables attackers to perform actions such as account hijacking, session cookie theft, and DNS manipulation.

Ther flaw doesn'h have a CVE identifier. It exploits Opera’s architecture, where specific web apps on privileged domains were granted access to private APIs. These APIs support core Opera features like Opera Flow, Opera Wallet, and Pinboard.

Guardio demonstrated that malicious extensions, if installed from third-party stores like the Chrome Web Store, could inject code into these privileged domains. Once installed, the extension could bypass Opera’s security controls and perform actions such as capturing screenshots, extracting session cookies, and altering DNS-over-HTTPS settings—enabling potential man-in-the-middle attacks.

Guardio created a proof-of-concept for this attack using a seemingly harmless puppy-themed extension. The extension could be installed by Opera users directly from the Chrome Web Store, circumventing Opera’s own Add-ons Store, which performs manual reviews of extensions. Users who ignored Opera’s warning about third-party extensions were at risk of unknowingly installing malicious software.

Opera worked with Guardio to address the vulnerability promptly and remove affected third-party domain privileges. They are also reviewing the architecture of web app features to prevent similar security risks in the future.

Users are advised to:

Update Browser: Ensure Opera is up-to-date to benefit from the latest security patches.
Use Opera’s Add-ons Store: Opera advises users to install extensions exclusively from its manually reviewed Add-ons Store.
Caution with Third-Party Extensions: Users should avoid downloading extensions from external sources like the Chrome Web Store, as these lack Opera’s review safeguards.

Opera continues to encourage responsible vulnerability disclosures from security researchers and offers a bug bounty program to enhance browser security.

Opera Browser fixes flaw dubbed "Cross Barking" allowing malicious extensions to access private APIs

Read More
Google releases new Chrome version, patches two high …
Windows vulnerability CVE-2024-26169 exploited by Black Basta ransomware …
Microsoft Edge releases fix for the Chromium flaws …
End-of-life D-Link NAS devices have a backdoor account, …
Anthropic Patches "ShadowPrompt" Vulnerability in Claude Chrome Extension