Opera GX Zero-Click Vulnerability Let Malicious Sites Steal User Data Through GX Mods


A critical Opera GX vulnerability allowed a malicious website to silently install a GX Mod and use it to leak data from pages the user visited. The attack required no click, no extension permission prompt, and no manual installation step from the victim.

The issue was documented by Rachid Allam and inzo_, who showed how Opera GX’s customization system could be turned into a browser-wide CSS injection channel. In a proof of concept, the researchers reconstructed a signed-in user’s Gmail address after the victim visited an attacker-controlled site.

Opera has patched the flaw. In its Opera security advisory, the company said users running Opera GX version 130.0.5847.89 or later have received the fix.

What caused the Opera GX vulnerability?

The root problem involved GX Mods, Opera GX’s browser customization feature. The official GX Mods page describes the feature as a way to change themes, sounds, fonts, shaders, splash screens, and other browser elements.

GX Mods are packaged in .crx files, similar to Chromium extensions, but they do not behave like full browser extensions. They do not support JavaScript execution and they do not request the usual extension permissions. However, they can apply CSS to websites visited by the user.

The dangerous part was installation behavior. A malicious page could cause Opera GX to download and enable a mod automatically, with only a notification bar appearing after installation. That gave attacker-controlled CSS a path into pages beyond the original malicious website.

DetailCurrent information
Affected productOpera GX
Feature involvedGX Mods
Attack typeZero-click XS-Leak through universal CSS injection
User interaction neededVisit to a malicious website
Proof-of-concept targetGmail address exposed through a Google account page
Fixed versionOpera GX 130.0.5847.89 and later
CVE statusNo CVE was listed in public reporting

How the zero-click attack worked

The attack started when a victim landed on a malicious website. That site could trigger the installation of a malicious GX Mod by pointing the browser to a .crx file. Once installed, the mod’s CSS could apply across webpages opened in Opera GX.

According to The Hacker News, the researchers demonstrated the impact by redirecting the victim to a Google account page after the mod was installed. The malicious CSS then checked for small fragments of the user’s Gmail address and sent matching signals to an attacker-controlled server.

This is known as an XS-Leak, or cross-site leak. CSS cannot directly read a page like JavaScript can, but carefully designed selectors can infer whether certain values exist in the page and trigger outside requests when they match.

Why CSS injection was enough to steal data

CSS-based exfiltration works by turning style rules into signals. A rule can test whether a page contains a certain value, then load a remote resource only if the condition matches. Each request leaks a small clue.

The research write-up explains that the proof of concept split a Gmail address into overlapping three-character fragments, also called trigrams. The researchers then used a reconstruction algorithm to rebuild the address from the fragments that triggered requests.

The attack did not depend on stealing cookies, running JavaScript, or reading page content directly. It relied on browser behavior, CSS matching, and a mod system that allowed styling rules to follow the user across sites.

  • The victim visits an attacker-controlled website.
  • A malicious GX Mod installs without a permission prompt.
  • The browser redirects to a target page containing user data.
  • The mod’s CSS checks for small data fragments.
  • Matching fragments trigger requests to an attacker server.
  • The attacker reconstructs the exposed value from those signals.

Opera says the issue is now fixed

Opera said it updated the mod installation pipeline so a mod cannot be downloaded and enabled without explicit user interaction and clear confirmation. The Opera security post also said the company is confident the flaw was not exploited in the wild.

The researcher timeline says the vulnerability was reported through Bugcrowd on February 16, 2026, acknowledged by Opera on March 27, and patched on May 8. Opera later published its public explanation on July 3.

The fix is included in Opera GX 130.0.5847.89 and later. Users can check their version by opening Opera GX and going to opera://about. If the browser is up to date, the patch should already be installed.

TimelineEvent
February 16, 2026Researchers submitted the report through Bugcrowd
February 18, 2026Researchers uploaded a more efficient proof of concept
March 27, 2026Opera security analyst acknowledged the report
May 8, 2026Opera patched the vulnerability and awarded the bounty
July 3, 2026Opera published its public security explanation

A private browsing crash was also documented

The same research also described a denial-of-service condition affecting Opera GX and the standard Opera browser. The issue could occur when a .crx file was triggered in private browsing mode, causing the browser to crash and lose the current session.

This crash issue was separate from the data exfiltration proof of concept. The data theft path depended on Opera GX Mods and browser-wide CSS injection, while the private-mode crash involved the extension installation pipeline.

For users, the practical takeaway is the same: keep Opera GX updated and avoid running outdated browser builds. Browser customization features can introduce risk when installation and confirmation steps do not match the power those features receive.

Why GX Mods became a security risk

GX Mods were designed for personalization. Opera says the Opera GX Mods feature lets users browse, apply, customize, and create mods through the GX Store and built-in modding tools.

That makes the feature useful for users who want a customized browser experience. But the vulnerability showed that even a no-JavaScript customization package can become dangerous if it installs automatically and applies CSS across every page.

Security risk often comes from the gap between what a feature appears to do and what it can actually reach. A visual mod may look harmless, but browser-wide CSS gives attackers enough reach to infer sensitive page data under the right conditions.

  • Customization features can touch more browsing context than users expect.
  • Permissionless add-ons can still create privacy risk.
  • CSS-only attacks can leak data indirectly.
  • Automatic installation can turn a feature into an attack surface.
  • Browser update speed matters when no reliable workaround exists.

What Opera GX users should do now

Opera GX users should update to version 130.0.5847.89 or later. The simplest way to confirm protection is to open opera://about and let the browser check for updates.

Reporting from The Hacker News notes that the attack had no practical workaround short of installing the patch, because it required only a visit to a malicious page. That makes updating the most important step.

  1. Open Opera GX.
  2. Go to opera://about.
  3. Confirm the browser is on version 130.0.5847.89 or later.
  4. Restart the browser if an update installs.
  5. Review installed mods and remove anything unfamiliar.
  6. Avoid visiting links from untrusted messages, gaming chats, or unknown download pages.

What this means for browser security

The Opera GX flaw shows that browsers need strong confirmation flows for any feature that can change page behavior across sites. Users often understand extension permission prompts, but they may not expect a browser theme or mod to become part of a cross-site data leak.

For security teams, the lesson is broader than Opera GX. Managed environments should track browser versions, restrict unauthorized add-ons where possible, and review customization systems that apply code or styling across webpages.

For researchers, the case reinforces the growing relevance of XS-Leak techniques. Attackers do not always need direct script access to steal useful data. Sometimes subtle browser behavior, page structure, and network side effects provide enough signal to expose private information.

FAQ

What was the Opera GX zero-click vulnerability?

The Opera GX vulnerability allowed a malicious website to silently install a GX Mod and use browser-wide CSS injection to leak data from pages the user visited. The attack required no click or extension permission prompt.

Which Opera GX version fixes the vulnerability?

Opera GX version 130.0.5847.89 and later includes the fix. Users can check their version by opening opera://about in Opera GX.

Did the Opera GX flaw have a CVE?

Public reporting did not list a CVE for the Opera GX GX Mods vulnerability. Opera handled the issue through responsible disclosure and its bug bounty process.

What data could attackers steal through the Opera GX flaw?

The proof of concept reconstructed a signed-in user’s Gmail address from a Google account page. The same technique could potentially leak other values exposed in webpage markup if the attacker can design matching CSS rules.

What should Opera GX users do now?

Users should update Opera GX to version 130.0.5847.89 or later, restart the browser after updating, review installed mods, and remove anything unfamiliar.

Readers help support VPNCentral. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more

User forum

0 messages