Hackers exploit Remote Code Execution (RCE) vulnerabilities as they allow them to execute arbitrary code on a target system remotely.
This unauthorized access enables the threat actors to take control of the system and perform a multitude of illicit activities.
Recently, cybersecurity researchers at Guardio Labs discovered an Opera bug that lets hackers run any file on Mac and Windows. This newly discovered flaw has been dubbed as “MyFlaw.”
Compounding the problem are zero-day vulnerabilities like the MOVEit SQLi, Zimbra XSS, and 300+ such vulnerabilities that get discovered each month. Delays in fixing these vulnerabilities lead to compliance issues, these delay can be minimized with a unique feature on AppTrana that helps you to get “Zero vulnerability report” within 72 hours.
Opera’s My-Flow
Opera’s My Flow is a file-sharing system that flawlessly syncs notes and files across desktop and mobile via its browser. This file-sharing system enables its users to scan a QR code on the mobile app for instant chat-style sharing.
The chat interface in Opera’s My Flow allows immediate file execution via an ‘OPEN’ link, raising high-risk security issues. Researchers investigated the potential vulnerabilities that revealed a significant flaw in the system’s architecture and security protocols.
Opera is constructed on the Chromium open-source project that shares the core code and design. Opera leverages Chromium’s customization, including built-in browser extensions with enhanced features to stand out.
Unlike store-installed extensions, these are pre-installed, cannot be disabled, and have broader capabilities.
MyFlaw – Opera Bug
My Flow in Opera relies on the Opera Touch Background extension, and it uses a manifest file declaring permissions and capabilities, highlighting the externally_connectable declaration.
This restricts communication to declared domains that connect through “chrome.runtime.connect” API for webpage access to extension handlers.
Some of the special capabilities that “My Flow” can access are unveiled by listeners who are present on the extension code.
Digging into OPEN_FILE code reveals access to a native private API “opr.operaTouchPrivate.openFile(String filename).”
The DOWNLOAD_FILE crafts a file in ~/Downloads/MyFlow/, and if these handlers were triggered, then without user intervention, malicious payloads can be downloaded and executed.
However, under opera[.]com, the controlled code must be run within to exploit this.
Resources under Opera-controlled domains exclusively access DOWNLOAD_FILE and OPEN_FILE handlers, a crucial security measure. Initial thoughts on exploiting via XSS lead to assumptions of well-coded pages.
Extensions provide a more direct route, but Opera’s security policies prevent script execution via chrome.tabs.executeScript. However, WebRequest/DeclarativeNetRequest APIs are allowed on flow.opera[.]com, which enables the alteration of resource requests.
Yet, CSP blocks unauthorized script execution. Historical scans using urlscan.io reveal forgotten HTML pages under *.flow.opera[.]com, which suggests potential exploit opportunities.
Creating a proof-of-concept extension for a file download and execution involves a missing payload. The extension mimics My Flow’s actions on flow.opera[.]com, which creates a fake device and obtains a pairing token.
Rather than simulating file transfers, exploiting the SEND_FILE handler allows direct generation of malicious files in the host filesystem, enabling execution through OPEN_FILE.
Security analysts found a permissions hurdle for FILE_OPEN in My Flow API. OPEN_FILE needs a click event that shifts it from a zero-click to a one-click attack, due to which vulnerable Opera users worldwide are at risk.
Besides this, researchers immediately notified Opera about this vulnerability, and in response, Opera acted promptly and cooperated efficiently.
Looking for cost-effective penetration testing services? Try Kelltron’s to assess and evaluate the security posture of digital systems – Free Demo