Opera’s MyFlaw Vulnerability Allowed Arbitrary File Execution on macOS and Windows

Researchers at Guardio Labs have discovered a remote code execution (RCE) vulnerability in the Opera browser for Windows and macOS, which could be exploited to execute any file on the operating system. The issue, named MyFlaw, takes advantage of the My Flow feature in Opera, which is designed to synchronize messages and files between mobile and desktop devices.

The vulnerability affected both Opera and Opera GX browsers and was originally discovered on November 17, 2023. Since the researchers promptly reported the issue to the developers, it was fixed last year as part of updates released on November 22, 2023.

How the MyFlaw Vulnerability Worked

According to the researchers, My Flow is a chat-like interface for exchanging notes and files, which can be accessed through a web interface. This means that files could potentially be executed outside the browser’s security sandbox.

My Flow is pre-installed in Opera and is supported by a built-in extension called Opera Touch Background, which handles communication with its mobile counterpart. This extension comes with its own manifest file specifying all necessary permissions, including externally_connectable, which determines which web pages and extensions can connect to it. Only domains matching the patterns *.flow.opera.com and .flow.op-test.net—both controlled by Opera’s developers—should be able to interact with the extension.

However, using the urlscan.io scanner, Guardio Labs researchers found a “long-forgotten” version of the My Flow landing page hosted at web.flow.opera.com.

“The page itself looks identical to the current one, but the differences are under the hood: it lacks a [content security policy] meta tag and includes a script tag that loads a JavaScript file without any integrity checks,” the experts’ report states. “This is exactly what an attacker needs—a forgotten, insecure, code-injection-vulnerable resource with access to the browser’s highly privileged native API.”

The attack developed by the researchers used a specially crafted extension. It prompted the user to click anywhere on the screen and was used to deliver an encrypted payload via a modified JavaScript file to the host for execution.

Proof of Concept

“The attack is carried out using a browser extension controlled by the attacker, which effectively bypasses the sandbox and the entire browser process,” the researchers explained.

Attack Overview

Opera’s developers stated that upon receiving information about the vulnerability, they not only quickly fixed the issue on the server side but also took steps to prevent similar problems in the future.

“Our current structure uses the HTML standard, which is the safest option and does not compromise key functionality,” the company commented. “After Guardio notified us of this vulnerability, we addressed the root cause and are doing everything possible to prevent such issues from arising again.”