On January 15, 2024, cybersecurity researchers made a disclosure of a security flaw in the Opera web browser for Microsoft Windows and Apple macOS. The flaw, named MyFlaw, can be used to execute any file on the underlying operating system by taking advantage of a feature called My Flow that syncs messages and files between mobile and desktop devices. The flaw impacts both the Opera browser and Opera GX, but was addressed in updates shipped on November 22, 2023, after responsible disclosure on November 17, 2023.
The flaw allows for the execution of files outside of the browser’s security boundaries, using the My Flow feature’s chat-like interface to exchange notes and files facilitated through a built-in browser extension called “Opera Touch Background.” The domains that can communicate with this extension are controlled by the browser vendor itself, but the vulnerability was discovered on a forgotten version of the My Flow landing page hosted on an external domain.
The flaw allows for an unsafe, forgotten, vulnerable code to be injected, providing access to high permission native browser API, and facilitating the transmission of an encrypted malicious payload to the host for subsequent execution by prompting the user to click anywhere on the screen.
The collaboration between the company and Guardio Labs, who discovered the vulnerability, resulted in the implementation of a fix on the server side and the removal of the cause of the issues. The company expressed gratitude to Guardio Labs and emphasized the importance of working together with security experts and researchers around the world to maintain and improve the security of their products.