Opera GX users have been installing GX Mods for years to change the browser’s look and feel. Turns out, that same feature had a much bigger problem hiding underneath.

A newly published report from zhero_web_security reveals that GX Mods could be abused to install a malicious mod simply by getting someone to visit a website. No confirmation dialog popped up before the installation. The browser would add the mod automatically, leaving only a small notification that it had been installed.

opera-browser-mod-notification

That might not sound too alarming at first. After all, GX Mods don’t behave like normal browser extensions. They don’t ask for permissions and they can’t run JavaScript.

The researchers found that wasn’t enough to keep them harmless.

GX Mods can inject CSS into websites to change how pages look. That’s one of the features that makes them popular with gamers who enjoy customizing everything. The problem was that a malicious mod could inject its CSS into every page the user opened, not just one site.

From there, the researchers built an attack that slowly leaked information from other websites.

Their proof of concept focused on a Google account page. Instead of trying to read the page directly, the attack relied on CSS rules that triggered tiny network requests whenever certain pieces of text matched. Those pieces were then stitched back together until the victim’s Gmail address could be reconstructed.

opera-browser-vulnerability-live-example

It’s a clever attack, but also one that’s difficult to explain without getting lost in the technical details. The important part is that visiting one malicious website could leave behind a GX Mod that continued working across other sites without the user realizing it.

The same research uncovered another issue too.

The report says opening a specially crafted .crx file while browsing in Incognito mode could crash Opera GX and the regular Opera browser, causing the current browsing session to disappear.

opera-leaks-1

The good news is that neither issue is still present. The researchers disclosed the bugs through Opera’s bug bounty program earlier this year, and Opera fixed them before the report went public. According to the disclosure timeline, the company ultimately classified the main bug as critical and paid the maximum $5,000 reward.

Stories like this are also why browser makers have been paying much closer attention to add-ons. Google recently updated the Chrome Web Store rules to make extension developers clearly explain what data they collect and limit themselves to information that’s actually needed. Developers have until August 1 to comply or risk having their extensions removed. You can read more about those policy changes in our earlier coverage.

GX Mods remain one of Opera GX’s standout features, but this incident shows they were trusted a little too much. Since the bugs have already been patched, users don’t need to take any action as long as they’re running an up-to-date version of the browser.

We stand out from the tech-media crowd because we break news stories; we mainly bring you stuff that you won’t find anywhere in the mainstream tech media. Our stories have been picked up by some of the world’s most popular websites and media outlets—more info is available here.

Dwayne Cubbins
2783 Posts

I cover fast-moving stories across apps, online platforms, and everyday tech — phones, wearables, consoles, and whatever else people are fighting with this week. Bugs, rollouts, scams, policy enforcement, and the occasional internet-culture rabbit hole are all fair game. My goal is simple — make confusing tech news readable. When I'm not working, I'm working out or chilling with my dog. Got a tip? You can find me on X @dcubbins.