A recently patched security flaw in the Opera browser, dubbed “CrossBarking,” exposed users to potential attacks by malicious extensions, allowing unauthorized access to private browser APIs. Researchers from Guardio Labs revealed that attackers could exploit this vulnerability before Opera’s fix on Sept. 24 to capture screenshots, hijack accounts, and alter browser settings — effectively compromising user privacy.

In their investigation, Guardio researchers demonstrated how CrossBarking could be weaponized by publishing a seemingly benign extension to the Chrome Web Store, which, when installed on Opera, exploited the flaw in a cross-browser-store attack. This approach allowed malicious extensions to bypass Opera’s usual security measures and posed a threat to users who might unknowingly install these risky add-ons.

A critical aspect of CrossBarking involved specific Opera subdomains with privileged API access, intended for internal development and features such as Opera Wallet and Pinboard. These domains, which also included third-party URLs like Instagram and Yandex, were open to exploitation by content scripts in malicious extensions. Once active, these scripts could inject harmful JavaScript, enabling attackers to take screenshots, extract session cookies, or manipulate DNS-over-HTTPS settings to reroute users to spoofed websites.

These capabilities make CrossBarking particularly concerning, as attackers could redirect victims to malicious sites, facilitating adversary-in-the-middle attacks on sensitive accounts like banking or social media. When published, the rogue extension would seem harmless, requiring only permission to execute JavaScript on web pages to exploit domains with API access.

Tal, head of Guardio Labs, noted that these vulnerabilities illustrate a broader security gap, as extension stores remain vulnerable to rogue uploads. He stressed the need for more rigorous review processes for browser extensions, including stricter identity verification for developers and ongoing monitoring of extensions even after initial approval.