Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
RedLine Stealer C2 Uses 7 Fraudulent Domains in Maritime Phishing Attacks
July 6, 2026
Teen Arrested for Bandai Channel Cyberattack Aided by ChatGPT
July 6, 2026
Gaslight macOS Malware Evades AI Security Analysis With Prompt Injection
July 6, 2026
Home/CyberSecurity News/Critical Opera GX Bug Lets Attackers Steal User Data
CyberSecurity News

Critical Opera GX Bug Lets Attackers Steal User Data

Key Takeaways A critical zero-click vulnerability in Opera GX allowed attackers to steal sensitive user data, including Gmail addresses. The flaw exploited the “GX Mods” feature, which...

David kimber
David kimber
July 6, 2026 4 Min Read
3 0

Key Takeaways

  • A critical zero-click vulnerability in Opera GX allowed attackers to steal sensitive user data, including Gmail addresses.
  • The flaw exploited the “GX Mods” feature, which silently installed malicious CSS-injecting mods without user permission.
  • The attack leveraged cross-site leak (XS-Leak) techniques via universal CSS injection to infer data one character trigram at a time.
  • Opera patched the vulnerability in May 2026 following responsible disclosure by security researchers.

A significant security flaw in the Opera GX browser has been uncovered, which enabled threat actors to surreptitiously extract sensitive user information, such as email addresses, with no user interaction required beyond visiting a malicious webpage. The vulnerability highlights how seemingly innocuous browser customization features can be weaponized for sophisticated data exfiltration.

Table Of Content

  • Key Takeaways
  • The GX Mods Vulnerability
  • Zero-Click Data Exfiltration via CSS Injection
  • What You Should Do

The details of the exploit were documented in a recent research publication titled “One trigram at a time: XSLeak via Universal CSS Injection and DoS in Opera (GX).” This research details how a core feature of Opera GX, designed for user customization, could be subverted to facilitate large-scale data theft.

The GX Mods Vulnerability

At the heart of the issue was Opera GX’s “GX Mods” functionality. This feature allows users to personalize their browser’s aesthetic and behavior through packaged files. These mods, distributed as .crx files, are designed to install automatically upon download, bypassing explicit user consent mechanisms.

Security researchers identified that this automatic installation behavior presented a critical attack vector. By embedding a malicious .crx file within an attacker-controlled webpage, a victim’s visit to that page would trigger the silent, background installation of the rogue mod.

Unlike conventional browser extensions, GX Mods do not support JavaScript execution and do not prompt for user permissions. However, a crucial capability they possess is the ability to inject custom CSS across all websites the user visits. This universal CSS injection became the foundational element for launching a cross-site leak (XS-Leak) attack.

Zero-Click Data Exfiltration via CSS Injection

While CSS-based attacks cannot directly read confidential data, they can infer its presence by carefully triggering network requests. This technique, known as XS-Leak, relies on crafting specific CSS selectors that can detect the existence of particular values within a webpage’s HTML. If a match is found, the CSS can then conditionally load external resources, each request subtly leaking a small piece of information to an attacker-controlled server.

In this particular exploit, the researchers developed an extensive CSS payload designed to extract data incrementally. Their primary target was to reconstruct a victim’s Gmail address by breaking it down into “trigrams”—sequences of three characters. Thousands of CSS rules were generated to test for various trigram combinations, allowing the attack to identify which fragments were present in the target data.

To circumvent limitations inherent in CSS processing, the researchers employed advanced techniques, including CSS variables and multi-layered background requests. These methods allowed for the simultaneous exfiltration of multiple data points without conflicts arising from CSS cascading rules. Furthermore, the workload was distributed across different HTML elements to prevent browser instability or crashes.

Once a victim was redirected to a target page, such as a Google account page displaying their email address, the injected CSS would initiate its probing for matching patterns. Each successful match would trigger a request to the attacker’s server. A sophisticated reconstruction algorithm then processed these requests, assembling the original string from the overlapping trigram sequences.

According to zhero_web_security, the entire attack chain required minimal user interaction: a visit to a malicious site, automatic mod installation, browser redirection, and immediate data exfiltration.

In addition to the data exfiltration vulnerability, the researchers also identified a denial-of-service condition. Activating mod installation in private browsing mode could lead to a browser crash, resulting in the termination of active sessions.

Opera addressed this critical vulnerability in May 2026, following a coordinated disclosure through its bug bounty program. The company responded promptly, awarding the maximum bounty to the researchers for their findings. This incident underscores the importance of scrutinizing non-traditional attack surfaces, such as browser customization features, and highlights the increasing sophistication and relevance of XS-Leak techniques that exploit subtle browser behaviors over conventional script-based vulnerabilities.

What You Should Do

  • Ensure your Opera GX browser is updated to the latest available version to incorporate the patch released in May 2026.
  • Exercise caution when visiting unfamiliar websites, as they could potentially host malicious content.
  • Regularly review installed browser extensions and mods, removing any that are unnecessary or suspicious.
  • Consider enabling enhanced privacy settings within your browser to limit data exposure where possible.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackExploitPatchSecurityVulnerability

Share Article

David kimber

David kimber

David is a penetration tester turned security journalist with expertise in mobile security, IoT vulnerabilities, and exploit development. As an OSCP-certified security professional, David brings hands-on technical experience to his reporting on vulnerabilities and security research. His articles often feature detailed technical analysis of exploits and provide actionable defense recommendations. David maintains an active presence in the security research community and has contributed to multiple open-source security tools.

Previous Post

Critical OpenAI Vulnerability Exposed Sensitive Prompts and API Activity

Next Post

TrojPix Attack Remotely Exfiltrates Data From Air-Gapped Computers

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical Opera GX Bug Lets Attackers Steal User Data
July 6, 2026
Critical OpenAI Vulnerability Exposed Sensitive Prompts and API Activity
July 6, 2026
SSH Honeypots Fail to Detect Post-Login Attacks, Study Finds
July 6, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
David kimber
David kimber
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us