Researchers demonstrated that an attacker could use a malicious Chrome extension to inject custom code into a victim’s Opera browser, thereby exploiting advanced and powerful APIs. These APIs are generally reserved for developers and only the most trusted sites. Researchers have discovered a new browser attack that exploits “private” application programming interfaces (APIs) in Opera, granting attackers complete control over victims’ browsers.
Browser APIs serve as a link between web applications and browser functionalities, covering areas such as security, storage, performance optimization, geolocation, and more. This enables websites to offer enhanced features and experiences. Most of these APIs are publicly accessible to everyone and undergo thorough review processes.
Companies often tend to grant special permissions to their favored apps and websites. For instance, the Opera browser reserves “private” APIs for several selected third-party domains such as Instagram, Atlassian, and Russia’s Yandex and VK, which is not prone to attack. Additionally, it includes its own internal development domains along with those publicly accessible in the production version of the browser.
These private APIs can be beneficial for developers; however, researchers from Guardio revealed that hackers could also exploit them. This exposure grants cyberattackers numerous capabilities directly through a browser. By altering settings, taking over accounts, disabling security extensions, installing additional harmful extensions, and more. The team demonstrated this with a proof-of-concept attack themed around dogs named “CrossBarking.”
CrossBarking Opera Browser Attack
The objective of CrossBarking is to execute harmful code within the environment of websites that have access to powerful, private APIs. This can be achieved by exploiting a cross-site scripting (XSS) vulnerability or, more simply, using a malicious browser extension.
Getting a malicious extension onto Opera is quite challenging. Numerous developers have expressed frustration over the lengthy manual review process, which can take months or even years in some instances. However, this rigorous evaluation ensures peace of mind for Opera’s 350 million active users. Knowing that any extensions added to their browsers have been meticulously scrutinized and vetted thoroughly.
However, this doesn’t quite apply to Chrome extensions, which Opera users can also download. The review process for Chrome add-ons is mostly automated and they may become available within hours or days of submission for approval.
To exploit privileged Opera sites, Guardio researchers created a Chrome extension instead of an Opera one. The design included adding pictures of puppies to webpages as a disguise for executing scripts on any site. By cleverly concealing its malicious intent enough to secure approval in the Chrome Store. If an Opera user with this affinity for puppy-themed extensions installed it. And then visited a site with private API access, the extension would carry out script injection attacks directly. This allowed it to execute harmful code and take advantage of any permissions granted by those private APIs.
To showcase the extensive capabilities of CrossBarking, Guardio researchers focused on the settingsPrivate API. This API grants access to view and modify any browser settings. The researchers exploited settingsPrivate to alter a hypothetical victim’s Domain Name System (DNS) configurations, directing all their browsing data through a malicious DNS server. Consequently, they were able to monitor the victim’s online activities completely. These gives them the power to alter webpage content or redirect them to harmful sites.
“You could practically gain control of the entire browser and even the computer it’s on,” says Nati Tal, head of Guardio Labs. While his proof-of-concept concentrated on altering a specific browser setting, “similarly, you can modify any other setting. Numerous APIs are available to exploit—we simply didn’t have enough time to explore all potential avenues.”
Security vs. Functionality in Browser APIs
In the ongoing battle between functionality and security, browser developers are reluctant to relinquish special APIs that grant them capabilities beyond those available to the general public. This is true for Opera as well as other browsers. In May, Guardio uncovered a similar problem involving a private API used for marketing in another Chromium-based browser, Microsoft Edge.
To address the CrossBarking issue, Opera retained its private APIs and maintained compatibility with Chrome extensions. However, on September 24th, it implemented a temporary solution similar to one used by Chrome. By preventing any extension from running scripts on domains that have access to private APIs.
Tal concludes that due to Chromium’s infrastructure, vendors must take charge of their own security and consider all potential attack vectors. The number of possible vectors is extensive.
He comments: “Once more, this particular instance didn’t even involve their [app store]. While Opera isn’t accountable for the Chrome Store, they do permit extensions from it. Therefore, it’s important for them to consider the full ecosystem and not just focus on a single vulnerability in order to stay ahead of potential threats.”