Opera GX Zero-Click Vulnerability Let Malicious Sites Steal User Data Through GX Mods
A critical Opera GX vulnerability allowed a malicious website to silently install a GX Mod and use it to leak data from pages the user visited. The attack required no click, no extension permission prompt, and no manual installation step from the victim.
The issue was documented by Rachid Allam and inzo_, who showed how Opera GX’s customization system could be turned into a browser-wide CSS injection channel. In a proof of concept, the researchers reconstructed a signed-in user’s Gmail address after the victim visited an attacker-controlled site.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
Opera has patched the flaw. In its Opera security advisory, the company said users running Opera GX version 130.0.5847.89 or later have received the fix.
What caused the Opera GX vulnerability?
The root problem involved GX Mods, Opera GX’s browser customization feature. The official GX Mods page describes the feature as a way to change themes, sounds, fonts, shaders, splash screens, and other browser elements.
GX Mods are packaged in .crx files, similar to Chromium extensions, but they do not behave like full browser extensions. They do not support JavaScript execution and they do not request the usual extension permissions. However, they can apply CSS to websites visited by the user.
The dangerous part was installation behavior. A malicious page could cause Opera GX to download and enable a mod automatically, with only a notification bar appearing after installation. That gave attacker-controlled CSS a path into pages beyond the original malicious website.
| Detail | Current information |
|---|---|
| Affected product | Opera GX |
| Feature involved | GX Mods |
| Attack type | Zero-click XS-Leak through universal CSS injection |
| User interaction needed | Visit to a malicious website |
| Proof-of-concept target | Gmail address exposed through a Google account page |
| Fixed version | Opera GX 130.0.5847.89 and later |
| CVE status | No CVE was listed in public reporting |
How the zero-click attack worked
The attack started when a victim landed on a malicious website. That site could trigger the installation of a malicious GX Mod by pointing the browser to a .crx file. Once installed, the mod’s CSS could apply across webpages opened in Opera GX.
According to The Hacker News, the researchers demonstrated the impact by redirecting the victim to a Google account page after the mod was installed. The malicious CSS then checked for small fragments of the user’s Gmail address and sent matching signals to an attacker-controlled server.
This is known as an XS-Leak, or cross-site leak. CSS cannot directly read a page like JavaScript can, but carefully designed selectors can infer whether certain values exist in the page and trigger outside requests when they match.
Why CSS injection was enough to steal data
CSS-based exfiltration works by turning style rules into signals. A rule can test whether a page contains a certain value, then load a remote resource only if the condition matches. Each request leaks a small clue.
The research write-up explains that the proof of concept split a Gmail address into overlapping three-character fragments, also called trigrams. The researchers then used a reconstruction algorithm to rebuild the address from the fragments that triggered requests.
The attack did not depend on stealing cookies, running JavaScript, or reading page content directly. It relied on browser behavior, CSS matching, and a mod system that allowed styling rules to follow the user across sites.
- The victim visits an attacker-controlled website.
- A malicious GX Mod installs without a permission prompt.
- The browser redirects to a target page containing user data.
- The mod’s CSS checks for small data fragments.
- Matching fragments trigger requests to an attacker server.
- The attacker reconstructs the exposed value from those signals.
Opera says the issue is now fixed
Opera said it updated the mod installation pipeline so a mod cannot be downloaded and enabled without explicit user interaction and clear confirmation. The Opera security post also said the company is confident the flaw was not exploited in the wild.
The researcher timeline says the vulnerability was reported through Bugcrowd on February 16, 2026, acknowledged by Opera on March 27, and patched on May 8. Opera later published its public explanation on July 3.
The fix is included in Opera GX 130.0.5847.89 and later. Users can check their version by opening Opera GX and going to opera://about. If the browser is up to date, the patch should already be installed.
| Timeline | Event |
|---|---|
| February 16, 2026 | Researchers submitted the report through Bugcrowd |
| February 18, 2026 | Researchers uploaded a more efficient proof of concept |
| March 27, 2026 | Opera security analyst acknowledged the report |
| May 8, 2026 | Opera patched the vulnerability and awarded the bounty |
| July 3, 2026 | Opera published its public security explanation |
A private browsing crash was also documented
The same research also described a denial-of-service condition affecting Opera GX and the standard Opera browser. The issue could occur when a .crx file was triggered in private browsing mode, causing the browser to crash and lose the current session.
This crash issue was separate from the data exfiltration proof of concept. The data theft path depended on Opera GX Mods and browser-wide CSS injection, while the private-mode crash involved the extension installation pipeline.

For users, the practical takeaway is the same: keep Opera GX updated and avoid running outdated browser builds. Browser customization features can introduce risk when installation and confirmation steps do not match the power those features receive.
Why GX Mods became a security risk
GX Mods were designed for personalization. Opera says the Opera GX Mods feature lets users browse, apply, customize, and create mods through the GX Store and built-in modding tools.
That makes the feature useful for users who want a customized browser experience. But the vulnerability showed that even a no-JavaScript customization package can become dangerous if it installs automatically and applies CSS across every page.
Security risk often comes from the gap between what a feature appears to do and what it can actually reach. A visual mod may look harmless, but browser-wide CSS gives attackers enough reach to infer sensitive page data under the right conditions.
- Customization features can touch more browsing context than users expect.
- Permissionless add-ons can still create privacy risk.
- CSS-only attacks can leak data indirectly.
- Automatic installation can turn a feature into an attack surface.
- Browser update speed matters when no reliable workaround exists.
What Opera GX users should do now
Opera GX users should update to version 130.0.5847.89 or later. The simplest way to confirm protection is to open opera://about and let the browser check for updates.

Reporting from The Hacker News notes that the attack had no practical workaround short of installing the patch, because it required only a visit to a malicious page. That makes updating the most important step.
- Open Opera GX.
- Go to opera://about.
- Confirm the browser is on version 130.0.5847.89 or later.
- Restart the browser if an update installs.
- Review installed mods and remove anything unfamiliar.
- Avoid visiting links from untrusted messages, gaming chats, or unknown download pages.
What this means for browser security
The Opera GX flaw shows that browsers need strong confirmation flows for any feature that can change page behavior across sites. Users often understand extension permission prompts, but they may not expect a browser theme or mod to become part of a cross-site data leak.
For security teams, the lesson is broader than Opera GX. Managed environments should track browser versions, restrict unauthorized add-ons where possible, and review customization systems that apply code or styling across webpages.
For researchers, the case reinforces the growing relevance of XS-Leak techniques. Attackers do not always need direct script access to steal useful data. Sometimes subtle browser behavior, page structure, and network side effects provide enough signal to expose private information.
FAQ
The Opera GX vulnerability allowed a malicious website to silently install a GX Mod and use browser-wide CSS injection to leak data from pages the user visited. The attack required no click or extension permission prompt.
Opera GX version 130.0.5847.89 and later includes the fix. Users can check their version by opening opera://about in Opera GX.
Public reporting did not list a CVE for the Opera GX GX Mods vulnerability. Opera handled the issue through responsible disclosure and its bug bounty process.
The proof of concept reconstructed a signed-in user’s Gmail address from a Google account page. The same technique could potentially leak other values exposed in webpage markup if the attacker can design matching CSS rules.
Users should update Opera GX to version 130.0.5847.89 or later, restart the browser after updating, review installed mods, and remove anything unfamiliar.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
User forum
0 messages