A vulnerability in an Opera browser feature for sharing files between devices could have led to remote code execution, threat protection firm Guardio Labs reports.
The impacted feature, My Flow, allows users to easily exchange messages and files between desktop and mobile devices, by simply scanning a QR code using Opera's mobile application.
Once the code is scanned, users are presented with a chat-like interface that allows them to immediately execute the shared files, which is convenient for users, but also exposes them to security risks.
Starting from this hypothesis, Guardio Labs' security researchers started digging into the architecture, development, and security protocols Opera uses to identify any issues that could be exploited maliciously.
During their investigation, the researchers discovered that the My Flow feature uses a built-in browser extension, namely 'Opera Touch Background', which possesses broad permissions, albeit the browser implements numerous restrictions and security checks to prevent code injection attacks and other types of malicious abuse.
One of these security mechanisms ensures that only web resources under declared domains can communicate with the underlying extension, and only using a specific API. Even if an attacker could manipulate such a resource to add their own script, they would also have to bypass a hash value check.
Guardio Labs discovered that there were several versions of the My Flow landing page laying around, some of them a few years old and lacking the more recent security checks.
The discovery allowed the researchers to create a proof-of-concept extension designed to download and execute a file on a victim's computer.
The extension would create a fake device instance to generate a QR code that could be used for pairing with the browser, and then simulate a file transfer to deliver a malicious payload to the victim's browser.
In practice, an attacker could create a nefarious extension, trick the victim into installing it, and have malicious code executed on their systems in less than a second, on either Windows or macOS, Guardio Labs says.
Impacting the Opera and Opera GX browsers on both Windows and macOS, the issue was resolved in November 2023 on the server side.
According to Guardio Labs, no evidence of in-the-wild exploitation of this vulnerability was found.
Responding to a SecurityWeek inquiry, Opera confirmed that it was made aware of the vulnerability on November 17 and that a fix was deployed by November 22.
This Cyber News was published on www.securityweek.com. Publication date: Tue, 16 Jan 2024 14:43:11 +0000