Opera GX, the gaming-focused browser, has patched a critical vulnerability that allowed malicious websites to silently install browser modifications, or mods, and subsequently steal sensitive user data. Discovered by security researchers zhero_ and inzo_, the flaw leveraged the browser's automatic mod installation process to inject Cascading Style Sheets (CSS) and exfiltrate information like Gmail addresses from visited pages. Opera addressed the issue in version 130.0.5847.89, confirming no evidence of in-the-wild exploitation.
Silent Mod Installation Posed Data Risk
A significant security vulnerability in Opera GX enabled malicious actors to automatically install browser mods without user approval, creating a pathway for data theft. This critical flaw, identified by security researchers zhero_ and inzo_, allowed attackers to reconstruct sensitive information, such as a signed-in user's full Gmail address, from a single page visit without any user interaction. Opera has since deployed a fix, urging users to ensure their browser is updated to the latest version.
Vulnerability Details and Remediation
The vulnerability stemmed from Opera GX's mod pipeline, which automatically downloads and enables custom mods—used for themes, sounds, and CSS restyling—without requiring explicit user confirmation. Researchers demonstrated that a malicious webpage could exploit this by loading a hidden iframe pointed at a specially crafted .crx mod file. Once installed, these mods could use advanced CSS injection rules to read specific data attributes on visited pages and transmit that data to an attacker's server via unique, tracker-like URLs. Opera's bug bounty team recognized the severity of the issue, rating it P1, their highest classification, and awarded the maximum payout of $5,000 for the critical finding. The fix was included in Opera GX version 130.0.5847.89, released around July 3, 2026, and users can verify their browser version by navigating to opera://about.
Historical Context of Mod Auto-Installation
The underlying auto-install behavior for Opera GX mods is not a new discovery. Researcher Renwa previously highlighted this mechanism in 2023, demonstrating how it could be escalated to a full browser extension to spoof the address bar. While Opera patched that specific address bar spoofing attack in March 2023, the core auto-installation functionality remained in place, forming the basis for this latest vulnerability. This history underscores the ongoing challenges in securing browser functionalities that prioritize user convenience through automation. Opera maintains a robust bug bounty program to encourage responsible disclosure of such vulnerabilities by the security community.
"Researchers zhero_ and inzo_ discovered that, under specific conditions, a third-party website could be set up to force the installation of a mod on Opera GX." — Opera Security Team, Official Opera Blog
The attack required no clicks or explicit approvals from the user, leaving no practical workaround other than applying the patch.
- The vulnerability allowed silent installation of browser mods.
- Malicious mods utilized CSS injection to extract user data.
- A proof of concept successfully reconstructed a Gmail address.
- Opera rated the issue as P1, its top severity level.
- The fix shipped in Opera GX version 130.0.5847.89.
What This Means
For professionals, developers, and tech enthusiasts, this incident serves as a crucial reminder of the persistent threat landscape in browser security. While Opera has acted swiftly to patch the flaw, the nature of the attack—requiring no user interaction—highlights how seemingly innocuous features, like browser customization through mods, can become vectors for sophisticated data exfiltration. The fact that the underlying auto-install behavior had been identified previously by Renwa in 2023, yet remained exploitable in a different context, underscores the complexity of comprehensive security. It emphasizes the need for continuous vigilance in both development and user practices, particularly regarding automatic processes that bypass explicit user consent.
Key Points
- Security researchers zhero_ and inzo_ uncovered the critical Opera GX mod vulnerability.
- The flaw enabled malicious sites to silently install mods and steal user data via CSS injection.
- Opera patched the vulnerability in Opera GX version 130.0.5847.89, released around July 3, 2026.
- The issue was rated P1, Opera's highest severity, and resulted in a $5,000 bug bounty payout.
- No evidence of the vulnerability being exploited in the wild was found by Opera.
The Bottom Line
The recent Opera GX mod vulnerability underscores the importance of prompt browser updates and the continuous scrutiny of automated features. Users should ensure their Opera GX browser is updated to version 130.0.5847.89 or newer to mitigate this specific risk. This incident also highlights the critical role of security researchers and bug bounty programs in identifying and addressing complex vulnerabilities before they can be widely exploited.
