A critical security flaw in the Opera web browser could have allowed malicious extensions to gain unauthorized, full access to private APIs, threatening users’ privacy and security. Guardio Labs researchers named the exploit CrossBarking and demonstrated how malicious extensions could potentially take screenshots, modify browser settings, and even hijack user accounts.
To illustrate the flaw, Guardio Labs created a harmless-looking extension published on the Chrome Web Store. When installed on Opera, this extension exploited CrossBarking, showcasing an instance of a cross-browser-store attack. “This case study highlights the ongoing tension between productivity and security,” said Nati Tal, head of Guardio Labs, noting how today’s threat actors operate subtly and effectively.
Opera resolved the issue through a patch issued on September 24, 2024, following responsible disclosure. However, the browser has previously experienced other vulnerabilities, including MyFlaw, discovered in January, which leveraged Opera’s “My Flow” feature to execute files on the operating system.