Security researchers have disclosed a vulnerability in Opera GX, the gaming-oriented variant of the Opera browser, that allowed a malicious website to silently install a browser mod and use it to harvest data from pages visited by the target user.
How the Attack Worked
The flaw enabled a remote, attacker-controlled site to trigger the installation of a browser add-on without requiring any deliberate action from the victim. Once installed, the malicious mod could read specific content from pages the user subsequently visited, effectively functioning as a targeted data-exfiltration tool operating inside the browser’s own trust boundary.
In a proof-of-concept demonstration, researchers were able to reconstruct a signed-in user’s full Gmail address from a single page visit, with no click or additional interaction required from the victim. The scenario illustrates how session context and page content accessible to a browser extension can be weaponized when the extension installation process can be abused remotely.
Scope and Patch Status
Opera has released a patch addressing the vulnerability. The company stated it found no evidence the flaw was exploited in the wild prior to the fix. Opera GX users should ensure they are running the latest available version of the browser to protect against this attack vector.
Broader Implications
The vulnerability highlights a class of risk specific to browsers that support first-party or curated extension ecosystems with installation flows distinct from mainstream web stores. When those flows lack sufficient origin validation or user-confirmation gates, they can become a vector for privilege escalation within the browser itself. Security teams managing environments where Opera GX is deployed should verify that automatic updates are enabled and review any installed browser mods for unexpected additions.
