{"id":14096,"date":"2026-07-06T10:03:40","date_gmt":"2026-07-06T10:03:40","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/07\/06\/opera-gx-0-click-vulnerability-lets-attackers-exfiltrate-user-data-via-malicious-website\/"},"modified":"2026-07-06T10:03:40","modified_gmt":"2026-07-06T10:03:40","slug":"opera-gx-0-click-vulnerability-lets-attackers-exfiltrate-user-data-via-malicious-website","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/07\/06\/opera-gx-0-click-vulnerability-lets-attackers-exfiltrate-user-data-via-malicious-website\/","title":{"rendered":"Opera GX 0-Click Vulnerability Lets Attackers Exfiltrate User Data via Malicious Website"},"content":{"rendered":"<p>    Opera GX 0-Click Vulnerability Lets Attackers Exfiltrate User Data via Malicious Website<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p class=\"wp-block-paragraph\">A newly disclosed vulnerability in Opera GX allowed attackers to silently exfiltrate sensitive user data with no interaction required, simply by luring victims to a <a href=\"https:\/\/cybersecuritynews.com\/malicious-websites-track-ssd-timing\/\" target=\"_blank\" rel=\"noreferrer noopener\">malicious website<\/a>.<\/p>\n<p class=\"wp-block-paragraph\">The issue, documented in recent research titled \u201cOne trigram at a time: XSLeak via Universal CSS Injection and DoS in Opera (GX),\u201d highlights how a seemingly harmless browser customization feature can be weaponized for large-scale data theft.<\/p>\n<p class=\"wp-block-paragraph\">The root cause lies in Opera GX\u2019s \u201cGX Mods\u201d feature, which enables users to customize browser appearance using packaged files.<\/p>\n<p class=\"wp-block-paragraph\">These mods, distributed as .crx files, are automatically installed when downloaded, without requiring explicit user permission.<\/p>\n<p class=\"wp-block-paragraph\">Researchers discovered that attackers could exploit this behavior by embedding a malicious .crx file inside a webpage. When a victim visits the page, the mod installs silently in the background.<\/p>\n<figure class=\"wp-block-image alignwide size-large\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/zhero-web-sec.github.io\/images\/opera-leaks-1.gif?ssl=1\" alt=\"\"><\/figure>\n<p class=\"wp-block-paragraph\">Unlike traditional browser extensions, GX Mods do not support JavaScript or request permissions. However, they can inject CSS across all websites visited by the user.<\/p>\n<p class=\"wp-block-paragraph\">This capability became the foundation of the attack, enabling a <a href=\"https:\/\/cybersecuritynews.com\/xs-leaks-14-new-web-attacks-are-detected-in-the-modern-web-browsers\/\" target=\"_blank\" rel=\"noreferrer noopener\">cross-site leak (XS-Leak)<\/a> via universal CSS injection.<\/p>\n<h2 id=\"h-opera-gx-0-click-vulnerability\" class=\"wp-block-heading\"><strong>Opera GX 0-Click Vulnerability<\/strong><\/h2>\n<p class=\"wp-block-paragraph\">CSS-based attacks cannot directly read sensitive data, but they can infer it by triggering network requests.<\/p>\n<p class=\"wp-block-paragraph\">For example, carefully crafted CSS selectors can detect whether certain values exist in a webpage\u2019s HTML and conditionally load external resources. Each triggered request leaks a small piece of information to an attacker-controlled server.<\/p>\n<figure class=\"wp-block-image size-large\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgQkjN1k7FFOvXFXCSk9rcxcILJ1XJvjckITvsQDcY4a5mOJzOS7Yq777VbxXoV__K9R9VDp7Klv3wdBrNyQqFj683qtHlj7i7gEf1lmiROb-TB1x_di5djinVig4_ZS-eBS_yVdK75zuml_uJ-ZuA5-qoVkTRKgTcTpOO3XARL67JbGMMMPoNQPITR2hw\/s1600\/Screenshot%25202026-07-06%2520141938%2520%25281%2529.webp?ssl=1\" alt=\"Attacker-controlled CSS runs across webpages, enabling browser-wide access ( source : zhero-web-sec )\"><figcaption class=\"wp-element-caption\">Attacker-controlled CSS runs across webpages, enabling browser-wide access ( source: zhero-web-sec )<\/figcaption><\/figure>\n<p class=\"wp-block-paragraph\">In this case, the researchers designed a large-scale CSS payload capable of extracting data one fragment at a time.<\/p>\n<p class=\"wp-block-paragraph\">They focused on reconstructing a victim\u2019s Gmail address by breaking it into smaller segments called trigrams, which are sequences of three characters.<\/p>\n<p class=\"wp-block-paragraph\">By generating thousands of CSS rules that test for different trigram combinations, the attack could identify which fragments are present in the target data.<\/p>\n<p class=\"wp-block-paragraph\">To avoid limitations in CSS processing, the researchers used advanced techniques such as CSS variables and multi-layered background requests.<\/p>\n<figure class=\"wp-block-image size-large\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/zhero-web-sec.github.io\/images\/opera-leaks-8.gif?ssl=1\" alt=\"\"><\/figure>\n<p class=\"wp-block-paragraph\">These methods allowed multiple data points to be exfiltrated simultaneously without being overridden by <a href=\"https:\/\/cybersecuritynews.com\/hackers-exploiting-css-to-evade-spam-filters\/\" target=\"_blank\" rel=\"noreferrer noopener\">CSS cascading rules<\/a>. The attack also distributed the workload across different HTML elements to prevent browser crashes.<\/p>\n<p class=\"wp-block-paragraph\">Once the victim is redirected to a target page, such as a Google account page containing their email address, the injected CSS begins probing for matching patterns.<\/p>\n<p class=\"wp-block-paragraph\">Each successful match sends a request to the attacker\u2019s server. These requests are then processed using a reconstruction algorithm that assembles the original string from overlapping trigram sequences.<\/p>\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/zhero-web-sec.github.io\/research-and-things\/one-trigram-at-a-time-xsleak-via-universal-css-injection-and-dos-in-opera-(gx)\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">According to zhero_web_security<\/a>, the attack requires only a visit to a malicious site, automatically installing the mod, redirecting the browser, and immediately exfiltrating data.<\/p>\n<p class=\"wp-block-paragraph\">In parallel, the researchers identified a denial-of-service condition in which triggering mod installation in private browsing mode could crash the browser and terminate sessions.<\/p>\n<figure class=\"wp-block-image size-large\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiHBAlrz56bgSsdWnFi_8_E4Vv8-N10e-wuMuezBK5uMXda8zPzWQQpt0GVGDwSOWJRg8uXrY-uSnmcTMVgd5c8Qci7cyqgoM8EfmZC6Cm2VQ-6FZHghRMN9LnhaUEKsCj0GRv240hfDMZcpRLeZCalyYyA0HW-Rbkx6p21Y9LvsMTmJxl5o-doz32vatc\/s1600\/Screenshot%25202026-07-06%2520142126%2520%25281%2529.webp?ssl=1\" alt=\"Page crash due to excessive lack of elegance ( source : zhero-web-sec )\"><figcaption class=\"wp-element-caption\"><em>Page crash due to excessive lack of elegance<\/em> ( source : zhero-web-sec )<\/figcaption><\/figure>\n<p class=\"wp-block-paragraph\">Opera patched the critical flaw in May 2026 after a coordinated disclosure through its<a href=\"https:\/\/cybersecuritynews.com\/what-is-bug-bounty-program-why-organization-needs-them\/\" target=\"_blank\" rel=\"noreferrer noopener\"> bug bounty program,<\/a> promptly responding and awarding the maximum bounty to the researchers.<\/p>\n<p>This vulnerability demonstrates how non-traditional attack surfaces, such as browser customization features, can introduce significant security risks.<\/p>\n<p class=\"wp-block-paragraph\">It also reinforces the growing relevance of XS-Leak techniques, which exploit subtle browser behaviors rather than conventional script-based vulnerabilities.<\/p>\n<p>The post <a href=\"https:\/\/cybersecuritynews.com\/opera-gx-0-click-vulnerability\/\">Opera GX 0-Click Vulnerability Lets Attackers Exfiltrate User Data via Malicious Website<\/a> appeared first on <a href=\"https:\/\/cybersecuritynews.com\/\">Cyber Security News<\/a>.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Abinaya<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/cybersecuritynews.com\/opera-gx-0-click-vulnerability\/\">Go to cyber-security-news<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Opera GX 0-Click Vulnerability Lets Attackers Exfiltrate User Data via Malicious Website A newly disclosed vulnerability in Opera GX allowed attackers to silently exfiltrate sensitive user data with no interaction required, simply by luring victims to a malicious website. The issue, documented in recent research titled \u201cOne trigram at a time: XSLeak via Universal CSS [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,131,648],"tags":[130],"class_list":["post-14096","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-vulnerability","category-vulnerability-news","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/14096"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=14096"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/14096\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=14096"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=14096"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=14096"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}