Zero-Click Flaw in Opera GX Leaked Gmail Addresses via Universal CSS Injection
A critical vulnerability in **Opera GX**, the gaming-focused browser, allowed malicious websites to silently install browser add-ons and exfiltrate sensitive data, such as full **Gmail** addresses, without any user interaction. The flaw leveraged a 'universal CSS injection' technique, enabling attackers to reconstruct personal information character by character from visited pages. **Opera** has since patched the issue, confirming no in-the-wild exploitation.
Cybersecurity researchers have uncovered a significant zero-click vulnerability in **Opera GX** that permitted the silent installation of browser add-ons, subsequently enabling the exfiltration of specific user data from visited web pages.
The flaw, rated P1 (top severity) by **Opera**'s bug bounty team, demonstrated its potential by reconstructing a signed-in user's full **Gmail** address from a single, unclicked visit to a malicious site. **Opera** has addressed the issue in **Opera GX** version 130.0.5847.89 and stated they found no evidence of it being exploited in the wild.

### The Mechanics of the Attack
The vulnerability centered on **Opera GX**'s 'GX Mods,' which allow users to customize the browser's appearance. These mods, delivered as `.crx` files similar to browser extensions, are designed to apply custom sounds, themes, wallpapers, and CSS, but crucially, they cannot run JavaScript or hold permissions.
The critical weakness lay in their installation process: **Opera**'s mod pipeline automatically downloads and enables a mod without an approval prompt. This allowed a malicious web page to silently install a mod, for instance, by loading a hidden `iframe` pointing to a `.crx` file. The only indication to the user was a subtle notification bar below the address bar.
This auto-install behavior was not new; researcher **Renwa** identified it in 2023, using it to spoof the browser's address bar by escalating an installed mod into a full extension. While **Opera** patched that specific attack in March 2023, the underlying auto-install mechanism remained, setting the stage for this new research.
### Universal CSS Injection and XS-Leaks
While a cosmetic mod seems harmless, its CSS is applied to every page the user visits. Unlike ordinary CSS injection, which is confined to the page it lands on, this created a 'universal CSS injection,' where the attacker's styling reached every site opened by the browser.
CSS, by itself, cannot directly read or send page data. However, the researchers exploited **attribute selectors** β a CSS feature that can test if an element's attribute value begins with a specific character. By crafting numerous rules, each designed to fetch a unique background image from the attacker's server only when a match occurred (e.g., if an email address started with 'a', then 'b', etc.), they could reconstruct sensitive values character by character. This technique is known as an **XS-Leak** (cross-site leak).
To demonstrate, the researchers targeted a **Google** account page (`myaccount.google.com/contactemail`) that embeds the user's **Gmail** address within several HTML attributes. They packed a mod with approximately 150,000 CSS rules, each testing for a three-letter piece of the address. A reconstruction script then stitched these matches together to reveal the full email.

The attack chain was remarkably swift: the victim lands on a malicious page, the mod installs within seconds, and a few lines of JavaScript redirect the browser to the target **Google** account page. The mod's CSS, already loaded, fires requests and leaks the address as the page renders, all before the user can even register the notification or click 'Remove.' This method could similarly exfiltrate other values exposed in a page's markup, such as usernames.
### Broader Implications and Severity Assessment
Beyond data exfiltration, the researchers also documented a secondary, cruder use of the auto-install path: loading a `.crx` file while in private (Incognito) mode would crash the browser and dump every open tab. This affected both **Opera GX** and regular **Opera** browsers. **Opera**'s advisory, however, focused solely on the data theft fix and did not mention the crash vulnerability.
Initially, **Opera**'s bug bounty triage analysts on **Bugcrowd** struggled to grasp the severity, rating it a P3. The researchers, however, made a compelling case by reproducing the attack on an analyst, capturing their **Gmail** address's trigrams, rebuilding it, and pasting it directly into the report. This prompted **Opera**'s team to immediately elevate the severity to P1 and award the maximum $5,000 bounty.
While **Opera**'s official advisory frames the attack as complex and expresses confidence it wasn't exploited in the wild, the researchers' demonstration highlighted its efficacy as a zero-click attack. The core risk was not the cosmetic feature itself, but its 'universal' reach, allowing CSS to persist across multiple sites. This contrasts with traditional CSS-only theft, which typically remains confined to the page of injection, as seen in **PortSwigger**'s 'Blind CSS Exfiltration' research.
This incident is not the first time an **Opera** feature has been repurposed for malicious ends; in 2024, the 'MyFlaw' bug in **Opera**'s **My Flow** also allowed hackers to run arbitrary code, underscoring the ongoing challenges in securing complex browser functionalities.