Introduction

The CrossBarking attack represents a significant security vulnerability in the Opera web browser, which was recently patched. This flaw allowed malicious extensions to exploit non-public application programming interfaces (APIs), leading to unauthorized access and a range of harmful actions.

Description

The CrossBarking attack is a recently patched security vulnerability in the Opera web browser that allowed malicious extensions to gain unauthorized access to non-public application programming interfaces (APIs). This flaw enabled a range of harmful actions, including capturing screenshots of open tabs, modifying browser settings [1] [2] [3] [4] [5], and hijacking accounts by extracting session cookies. Researchers from Guardio Labs demonstrated this exploit by publishing a seemingly harmless Chrome extension [1] [4], disguised as a puppy-themed application [2], on the Chrome Web Store [1] [4] [5] [6]. Unsuspecting Opera users could be tricked into installing this extension [6], which exploited the vulnerability to access powerful APIs typically reserved for trusted sites [3]. This cross-browser-store attack utilized several Opera-owned publicly accessible subdomains that had privileged access to private APIs [1], which support features like Opera Wallet and Pinboard [4] [5].

The non-public APIs [2], used by select third-party domains and internal development domains [2] [3], facilitated the malicious actions. The researchers specifically targeted the settingsPrivate API [2] [3], which permits reading and modifying browser settings [2] [3]. They successfully demonstrated the ability to redirect browsing activity through adversary-in-the-middle attacks, including altering a victim’s Domain Name System (DNS) settings to route all browser activity through a malicious DNS server [2] [3], thereby gaining visibility into the victim’s browsing habits and manipulating webpage content [2].

To execute the CrossBarking attack [3], the malicious extension required permission to run JavaScript on web pages [4], particularly those with access to private APIs [4], facilitating direct script injection attacks [3]. Although sandboxing isolates the browser context from the operating system [4], content scripts in browser extensions could still inject malicious JavaScript into these permissive domains [1] [4].

In response to the CrossBarking vulnerability [2] [3], Opera implemented a temporary fix on September 24 [2], blocking extensions from executing scripts on domains that utilize non-public API access [2]. Following this discovery [6], collaboration between Guardio and Opera led to plans for reviewing how web app features are enabled in the browser to prevent similar issues in the future [6]. Despite this remediation, the existence of private APIs and the cross-compatibility with Chrome extensions continue to pose ongoing security challenges [3], underscoring the need for vigilance when installing browser extensions from official stores and the delicate balance between functionality and security within browser ecosystems.

Conclusion

The CrossBarking vulnerability highlights the critical need for robust security measures in web browsers, particularly concerning the management of private APIs and extension permissions. While Opera’s temporary fix addresses the immediate threat, ongoing collaboration and review are essential to prevent future vulnerabilities. Users must remain cautious when installing extensions, as the balance between browser functionality and security remains a complex challenge.

References

[1] https://machinedaily.ai/opera-browser-fixes-large-safety-gap-that-may-have-uncovered-your-data/
[2] https://aiandtechs.com/crossbarking-assault-exposes-opera-browser-customers-by-way-of-apis/
[3] https://www.darkreading.com/vulnerabilities-threats/crossbarking-attack-secret-apis-expose-opera-browser-users
[4] https://thehackernews.com/2024/10/opera-browser-fixes-big-security-hole.html
[5] https://www.techepages.com/opera-browser-fixes-big-security-hole-that-could-have-exposed-your-information/
[6] https://blogs.opera.com/security/2024/10/vulnerability-opera-guardio/