Critical Opera GX Bug Lets Attackers Steal User Data
Key Takeaways A critical zero-click vulnerability in Opera GX allowed attackers to steal sensitive user data, including Gmail addresses. The flaw exploited the “GX Mods” feature, which...
Key Takeaways
- A critical zero-click vulnerability in Opera GX allowed attackers to steal sensitive user data, including Gmail addresses.
- The flaw exploited the “GX Mods” feature, which silently installed malicious CSS-injecting mods without user permission.
- The attack leveraged cross-site leak (XS-Leak) techniques via universal CSS injection to infer data one character trigram at a time.
- Opera patched the vulnerability in May 2026 following responsible disclosure by security researchers.
A significant security flaw in the Opera GX browser has been uncovered, which enabled threat actors to surreptitiously extract sensitive user information, such as email addresses, with no user interaction required beyond visiting a malicious webpage. The vulnerability highlights how seemingly innocuous browser customization features can be weaponized for sophisticated data exfiltration.
Table Of Content
The details of the exploit were documented in a recent research publication titled “One trigram at a time: XSLeak via Universal CSS Injection and DoS in Opera (GX).” This research details how a core feature of Opera GX, designed for user customization, could be subverted to facilitate large-scale data theft.
The GX Mods Vulnerability
At the heart of the issue was Opera GX’s “GX Mods” functionality. This feature allows users to personalize their browser’s aesthetic and behavior through packaged files. These mods, distributed as .crx files, are designed to install automatically upon download, bypassing explicit user consent mechanisms.
Security researchers identified that this automatic installation behavior presented a critical attack vector. By embedding a malicious .crx file within an attacker-controlled webpage, a victim’s visit to that page would trigger the silent, background installation of the rogue mod.
Unlike conventional browser extensions, GX Mods do not support JavaScript execution and do not prompt for user permissions. However, a crucial capability they possess is the ability to inject custom CSS across all websites the user visits. This universal CSS injection became the foundational element for launching a cross-site leak (XS-Leak) attack.
Zero-Click Data Exfiltration via CSS Injection
While CSS-based attacks cannot directly read confidential data, they can infer its presence by carefully triggering network requests. This technique, known as XS-Leak, relies on crafting specific CSS selectors that can detect the existence of particular values within a webpage’s HTML. If a match is found, the CSS can then conditionally load external resources, each request subtly leaking a small piece of information to an attacker-controlled server.
In this particular exploit, the researchers developed an extensive CSS payload designed to extract data incrementally. Their primary target was to reconstruct a victim’s Gmail address by breaking it down into “trigrams”—sequences of three characters. Thousands of CSS rules were generated to test for various trigram combinations, allowing the attack to identify which fragments were present in the target data.
To circumvent limitations inherent in CSS processing, the researchers employed advanced techniques, including CSS variables and multi-layered background requests. These methods allowed for the simultaneous exfiltration of multiple data points without conflicts arising from CSS cascading rules. Furthermore, the workload was distributed across different HTML elements to prevent browser instability or crashes.
Once a victim was redirected to a target page, such as a Google account page displaying their email address, the injected CSS would initiate its probing for matching patterns. Each successful match would trigger a request to the attacker’s server. A sophisticated reconstruction algorithm then processed these requests, assembling the original string from the overlapping trigram sequences.
According to zhero_web_security, the entire attack chain required minimal user interaction: a visit to a malicious site, automatic mod installation, browser redirection, and immediate data exfiltration.
In addition to the data exfiltration vulnerability, the researchers also identified a denial-of-service condition. Activating mod installation in private browsing mode could lead to a browser crash, resulting in the termination of active sessions.
Opera addressed this critical vulnerability in May 2026, following a coordinated disclosure through its bug bounty program. The company responded promptly, awarding the maximum bounty to the researchers for their findings. This incident underscores the importance of scrutinizing non-traditional attack surfaces, such as browser customization features, and highlights the increasing sophistication and relevance of XS-Leak techniques that exploit subtle browser behaviors over conventional script-based vulnerabilities.
What You Should Do
- Ensure your Opera GX browser is updated to the latest available version to incorporate the patch released in May 2026.
- Exercise caution when visiting unfamiliar websites, as they could potentially host malicious content.
- Regularly review installed browser extensions and mods, removing any that are unnecessary or suspicious.
- Consider enabling enhanced privacy settings within your browser to limit data exposure where possible.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.