A vulnerability has been discovered by experts from Guardio Labs in the Opera browser that allows hackers to execute most files on computers running Windows and macOS operating systems.
According to The Hacker News, the issue concerns the browser’s built-in My Flaw feature, which is part of the Opera Touch Background extension and has not been removed. My Flaw allows users to take notes and share files between desktop browsers and mobile devices.
This is a familiar feature as modern software developers often provide tools to exchange data between computers and mobile devices quickly. Still, in the case of Opera, this comes at a cost.
Guardio Labs says My Flaw’s interface works like a chat for file sharing providing an “Open” function for any messages with attachments, meaning files can be directly executed from the web interface. This results in the web context interacting with the system API to execute files from the file system outside the browser without sandboxing or restrictions.
Additionally, websites and extensions can be connected to My Flaw. This means an attacker can create a malicious extension that impersonates the mobile device the victim’s computer connects to. They can then use JavaScript to deliver a malicious file that will be executed when someone clicks anywhere on the screen.
developers Opera were notified about the vulnerability in My Flaw on November 17 last year and the vulnerability was patched on November 22.