Opera GX 0-Click Vulnerability Lets Attackers Exfiltrate User Data via Malicious Website
A newly disclosed vulnerability in Opera GX allowed attackers to silently exfiltrate sensitive user data with no interaction required, simply by luring victims to a malicious website.
The issue, documented in recent research titled “One trigram at a time: XSLeak via Universal CSS Injection and DoS in Opera (GX),” highlights how a seemingly harmless browser customization feature can be weaponized for large-scale data theft.
The root cause lies in Opera GX’s “GX Mods” feature, which enables users to customize browser appearance using packaged files.
These mods, distributed as .crx files, are automatically installed when downloaded, without requiring explicit user permission.
Researchers discovered that attackers could exploit this behavior by embedding a malicious .crx file inside a webpage. When a victim visits the page, the mod installs silently in the background.

Unlike traditional browser extensions, GX Mods do not support JavaScript or request permissions. However, they can inject CSS across all websites visited by the user.
This capability became the foundation of the attack, enabling a cross-site leak (XS-Leak) via universal CSS injection.
Opera GX 0-Click Vulnerability
CSS-based attacks cannot directly read sensitive data, but they can infer it by triggering network requests.
For example, carefully crafted CSS selectors can detect whether certain values exist in a webpage’s HTML and conditionally load external resources. Each triggered request leaks a small piece of information to an attacker-controlled server.

In this case, the researchers designed a large-scale CSS payload capable of extracting data one fragment at a time.
They focused on reconstructing a victim’s Gmail address by breaking it into smaller segments called trigrams, which are sequences of three characters.
By generating thousands of CSS rules that test for different trigram combinations, the attack could identify which fragments are present in the target data.
To avoid limitations in CSS processing, the researchers used advanced techniques such as CSS variables and multi-layered background requests.

These methods allowed multiple data points to be exfiltrated simultaneously without being overridden by CSS cascading rules. The attack also distributed the workload across different HTML elements to prevent browser crashes.
Once the victim is redirected to a target page, such as a Google account page containing their email address, the injected CSS begins probing for matching patterns.
Each successful match sends a request to the attacker’s server. These requests are then processed using a reconstruction algorithm that assembles the original string from overlapping trigram sequences.
According to zhero_web_security, the attack requires only a visit to a malicious site, automatically installing the mod, redirecting the browser, and immediately exfiltrating data.
In parallel, the researchers identified a denial-of-service condition in which triggering mod installation in private browsing mode could crash the browser and terminate sessions.

Opera patched the critical flaw in May 2026 after a coordinated disclosure through its bug bounty program, promptly responding and awarding the maximum bounty to the researchers.
This vulnerability demonstrates how non-traditional attack surfaces, such as browser customization features, can introduce significant security risks.
It also reinforces the growing relevance of XS-Leak techniques, which exploit subtle browser behaviors rather than conventional script-based vulnerabilities.
The post Opera GX 0-Click Vulnerability Lets Attackers Exfiltrate User Data via Malicious Website appeared first on Cyber Security News.
Abinaya
Go to cyber-security-news