Guardio Labs, known for its browser security tool that boasts over a million users, has recently revealed a critical zero-day vulnerability in the Opera browser family.
The company has launched a report detailing these vulnerabilities named MyFlawCross Platform 0-Day RCE Vulnerability Discovered in Opera's Browsers. The Opera browser family, notably the fourth most widely used browser globally, has over 350 million active users.
The vulnerability is traced back to Opera's "My-Flow" feature. This tool enables users to sync messages and files between mobile app usage and desktop browser usage through a controlled browser extension.
Unfortunately, this could have created a medium for threat actors to create and maliciously activate files on the Operating System (OS) filesystem, Guardio states. The users most at risk from this were those utilising Microsoft and MacOS software, as the vulnerability could bypass the browser's sandbox and browser processes.
Opera's My-Flow extension vulnerability provided a perfect environment for threat actors to exploit by spreading disruptive payloads. Unfortunately, the Opera extension's automatic encryption feature, utilised to send files, inadvertently concealed these harmful payloads.
Even though downloading the payload requires a click, threat actors could effectively trick users into doing so by using social engineering tactics. This manipulation introduces a potent attack vector with catastrophic potential for causing harm, the company states.
Upon discovering the vulnerability, Guardio Labs states the team quickly got in touch with the Opera team to fully disclose their findings. The Opera team was reported to be extremely cooperative, responsive, and ultimately effective in rectifying the vulnerability.
With quick action from both sides, the issue was addressed in a short timeframe, showing the value of effective communication and cooperation in managing cybersecurity threats, Guardio states
This incident serves as a reminder about the wider challenges in technology innovation where security considerations must be prioritised for web browsers, Guardio Labs states. Given the substantial user base and the importance of web browsers in everyday operations, service providers must strive for continual vigilance, timely reporting, and swift response to potential threats.
Guardio is a cybersecurity company focused on ensuring a safe digital experience for private users and small businesses via its intuitive browser extension and mobile apps. Founded in 2018 by cybersecurity industry veterans Amos Peled, Daniel Sirota, and Michael Weinstein, the company states its mission is to help create a secure digital world for everyone, and it has gained over one and a half million users since its launch.