A new browser vulnerability called CrossBarking has been identified, affecting Opera users through “private” APIs that were meant only for select trusted sites. Browser APIs bridge websites with functionalities like storage, performance, and geolocation to enhance user experience. Most APIs are widely accessible and reviewed, but private ones are reserved for preferred applications. Researchers at Guardio found that these Opera-specific APIs were vulnerable to exploitation, especially if a malicious Chrome extension gained access.
Guardio’s demonstration showed that once a hacker gained access to these private APIs through a Chrome extension — easily installable by Opera users — they could run powerful scripts in a user’s browser context.
The malicious extension was initially disguised as a harmless tool, adding pictures of puppies to web pages.
However, it also contained scripts capable of extensive interference with Opera settings. Guardio used this approach to hijack the settingsPrivate API, which allowed them to reroute a victim’s DNS settings through a malicious server, providing the attacker with extensive visibility into the user’s browsing activities. With control over the DNS settings, they could manipulate browser content and even redirect users to phishing pages, making the potential for misuse significant.
Guardio emphasized that getting malicious extensions through Chrome’s review process is relatively easier than with Opera’s, which undergoes a more intensive manual review.
The researchers, therefore, leveraged Chrome’s automated, less stringent review process to create a proof-of-concept attack on Opera users.
CrossBarking’s implications go beyond Opera, underscoring the complex relationship between browser functionality and security. Opera took steps to mitigate this vulnerability by blocking scripts from running on private domains, a strategy that Chrome itself uses. However, they have retained the private APIs, acknowledging that managing security with third-party apps and maintaining functionality is a delicate balance.
Opera’s decision to address the CrossBarking vulnerability by restricting script access to domains with private API access offers a practical, though partial, solution. This approach minimizes the risk of malicious code running within these domains, but it does not fully eliminate potential exposure. Guardio’s research emphasizes the need for Opera, and similar browsers, to reevaluate their approach to third-party extension compatibility and the risks associated with cross-browser API permissions.
This vulnerability also underscores a broader industry challenge: balancing user functionality with security. While private APIs are integral to offering customized features, they open potential entry points for attackers when not adequately protected. Opera’s reliance on responsible disclosure practices with cybersecurity firms is a step forward. However, ongoing vigilance and a proactive stance toward enhancing browser security are essential as threats continue to evolve, particularly in a landscape where third-party extensions can easily be overlooked as potential risks.
In response, Opera has collaborated closely with researchers and relies on responsible vulnerability disclosures from third-party security firms like Guardio to address any potential risks preemptively. Security professionals highlight that browser developers should consider the full ecosystem, assessing how interactions across apps and extensions might introduce vulnerabilities.