Keypoints
- A 0-day in the Opera browser allowed extensions to access privileged Private APIs intended only for specific Opera-controlled domains.
- Malicious extensions exploiting this issue can be built easily and distributed through the Chrome Web Store, reaching large user bases.
- Private APIs exposed powerful capabilities such as chrome.cookies access, screen capture (pinboardPrivat), extension management, and settings modification.
- Attackers can perform cross‑browser-store attacks: an extension hosted in Chrome’s store can affect Opera users who install it.
- Guardio built a proof‑of‑concept Puppy-themed extension that injected code (injected.js/content.js) to change DNS over HTTPS settings via chrome.settingsPrivate.setPref(), demonstrating DNS hijacking and MiTM risks.
- Opera removed certain domain privileges and deployed fixes on September 24, 2024, after coordinated disclosure with Guardio.
- Recommendations include stricter store review, continuous post‑approval monitoring, and stronger developer identity verification to reduce such risks.
MITRE Techniques
- [T1003] Credential Dumping – Using browser cookie APIs to extract session cookies and hijack accounts; (‘Using chrome.cookies to extract session cookies for account hijacking’)
- [T1071] Application Layer Protocol – Manipulating browser settings to redirect traffic through a rogue DNS server and exfiltrate or manipulate data over HTTP(S); (‘Manipulating browser settings to redirect traffic through a rogue DNS server.’)
- [T1557] Man-in-the-Middle – Hijacking DNS settings via privileged Private APIs to intercept and modify user traffic; (‘Using a malicious extension to hijack DNS settings and intercept user traffic.’)
Indicators of Compromise
- [Domain] privileged/exploited domains – crypto-corner.op-test.net, opera.com, and other Opera privileged domains
- [Malicious DNS] rogue DNS endpoint used in POC – https://bad.dnsserver.xyz
- [URL] exploit trigger link (contains base64-encoded payload) – https://crypto-corner.op-test.net/#puppiesOn-eyJkbnNfb3Zlcl9odHRwcy5tb2RlIjoic2VjdXJlIiwiZG5zX292ZXJfaHR0cHMudGVtcGxhdGVzIjoiaHR0cHM6Ly9iYWQuZG5zc2VydmVyLnh5eiJ9
- [File names] extension payload files used in POC – injected.js, content.js
Guardio Labs discovered and responsibly disclosed a critical flaw in Opera where specific web app domains were hardcoded with elevated privileges, giving those domains access to Private APIs embedded in the browser. These Private APIs were intended to support features such as pinboards, Opera Flow, and Wallet, but the presence of publicly reachable development and third‑party domains in the privileged list—examples include op-test.net and crypto-corner.op-test.net—created an attack surface that could be abused by code executing in those domain contexts.
The researchers demonstrated a practical, low‑effort attack they named “CrossBarking.” Rather than exploiting an XSS or performing domain takeover, the team showed that a malicious browser extension could inject script into a page on a privileged Opera domain to call Private APIs directly. Extension content scripts can modify the DOM, and by inserting a element that loads a local extension file (injected.js), an extension can execute code in the page context and bypass typical Content Security Policy restrictions that would block other external scripts. Guardio included simple example code showing how a content script appends an injected.js file and how that injected script can call chrome.settingsPrivate.setPref() when running on a permissive domain.
Using this injection method, Guardio built a minimal proof of concept that changes the browser’s DNS over HTTPS configuration to point to a rogue DNS server (https://bad.dnsserver.xyz). With DNS resolution hijacked, an attacker can perform man‑in‑the‑middle operations: spy on traffic, modify pages, and present phishing content under legitimate domain names. The POC specifically targeted a publicly reachable Opera development domain (crypto-corner.op-test.net) and invoked the Private API to set new DNS templates, demonstrating how an unassuming extension can stealthily reconfigure a user’s browser without further interaction beyond installation.
To prove how such an extension could bypass store controls, Guardio packaged the exploit into a benign‑looking “Puppy” extension. The extension requested permissions for content scripts on all URLs to insert playful elements on pages, a plausible justification for the broad permission. The team then hid the actual exploit trigger behind a configuration page link whose fragment contained a base64‑encoded JSON payload (the puppiesOn-… hash) that, when visited, caused the privileged API call. This multistage flow was designed to avoid detection by store review processes and to protect the zero‑day until Opera could fix it. The extension was approved in the Chrome Web Store within 24 hours as an unlisted item, illustrating the gap between store policy checks and real‑world abuse potential, particularly when an extension targets another browser (Opera) through cross‑store installation.
Guardio noted that this attack vector is not limited to Opera: many Chromium‑based vendors implement private APIs and privileged domains to deliver unique features, and similar weaknesses could exist across browsers that inherit Chromium’s design choices. The researchers also emphasized that other traditional attack paths, such as XSS or abandoned subdomain takeovers, remain relevant because Private APIs are still accessible in those contexts; fixing the privileged domain list reduces one class of risk but does not remove all avenues for exploitation.
After coordinated disclosure, Opera responded swiftly. On September 24, 2024, Opera deployed a fix that removed certain third‑party domain privileges (including vk, Instagram, and Yandex) and disabled content scripting on high‑permission domains, aligning those domains with protections already applied to the Chrome Web Store domain. Opera indicated no evidence that the specific attack occurred in the wild and thanked Guardio for the responsible disclosure and collaboration. Guardio also documented that, while Opera performs manual reviews for extensions in its own store, the ability to suggest Chrome Web Store extensions and users’ tendency to install from multiple stores creates an environment where cross‑store attacks can succeed.
Guardio’s disclosure concludes with practical recommendations: strengthen extension review processes with more resources and continuous behavioral monitoring post‑approval; enforce stricter developer identity verification so accounts cannot be created with only a free email and prepaid card; and adopt runtime protections that limit content scripting on privileged domains. For end users, the advice is to be cautious when installing extensions, limit permissions to the minimum necessary, and employ protective tools that detect or block suspicious extension behavior.