Search This Blog

Powered by Blogger.

Blog Archive

Labels

Opera Browser Users Beware: MyFlaw Bug Allows Hackers to Run Any File Remotely

Opera users face a critical MyFlaw Bug, allowing remote file execution. Urgent updates and vigilance are advised to mitigate potential risks.

 


There has been an unearthed critical security flaw in the Opera browser that has been of concern to Opera browser enthusiasts. As a result of the "MyFlaw Bug," hackers can remotely execute any file on users' computers, posing a serious threat. Opera users are advised to exercise caution when browsing due to the potential for widespread exploitation of this exploit. 

On both MacOS and Windows, cybersecurity experts are actively working on addressing this issue to mitigate the risk associated with unauthorized file execution on both platforms. Experts strongly recommend that immediate updates and heightened vigilance be undertaken to mitigate this risk. 

In a statement shared with Hacker News, Guardio Labs researchers have codenamed the remote code execution vulnerability MyFlaw because it takes advantage of the feature that lets mobile and desktop devices synchronize messages and files by using a feature called MyFlow. 

As the company explains in a statement they shared with the publication, the browser extension that they created bypasses the browser's sandbox and the entire browser process, effectively bypassing the entire browser process. In the aftermath of the responsible disclosure of the issue on November 17, 2023, the issue was addressed as part of the updates shipped on November 22, 2023, which are addressed both with the Opera browser and Opera GX.

My Flow, the feature on Opera's website, stands out because it allows you to seamlessly share your notes and files between your desktop and mobile devices through the browser. You can easily exchange files and messages by scanning a QR code with Opera's mobile app, and the chat-like interface it provides is reminiscent of a chat interface. 

There is a chat interface built into My Flow that allows you to exchange notes and files, the latter of which can be opened using a web interface, which means the file can be executed outside the browser's security parameters. Despite the convenience of this feature, it revealed that there are potentially high-security risks associated with it, which prompted us to conduct a further investigation.

During our vulnerability research, we identify high-risk vectors, such as those discussed above, and thoroughly examine the architecture, development, and security protocols involved in these vectors, seeking to identify any security gaps and logic errors that could be exploited. We did indeed find a significant vulnerability that was exploitable. 

To make the Guardio research team aware of the security issue, a remote code execution vulnerability known as MyFlaw has been found in Opera's 'My Flow' feature, which allows you to share notes and files seamlessly between desktops and mobile devices through the browser. 

The web-based My Flow chat interface, for example, has been updated so that any attached files can be executed directly from the browser by clicking on the 'OPEN' button. This has led to new potential attack vectors, which were concerned. Researchers have documented that the ability to execute local system files from a web context could pose a serious security risk, as it can have a variety of unintended consequences. The investigation that has been conducted has revealed that My Flow works in part as a result of an extension installed in your browser already that is known as the 'Opera Touch Background'. 

In addition to the capability of opening and downloading files to the local system, this extension has extensive permissions. There is a built-in browser extension named "Opera Touch Background" that is tasked with interacting between the desktop browser and the mobile version that comes pre-installed with this feature. This extension is for communicating between the desktop browser and the mobile version.

In addition, this means that the extension carries a manifest file that sets out all the permissions and behaviours that it needs to be able to perform, such as the externally_connectable property that identifies which websites and extensions can be connected to it.

Although the majority of Opera's production servers do not appear to have any known vulnerable assets at the moment, there is always the possibility that such issues may recur in the future due to human error or new updates of code that are vulnerable to exploiting XSS.

It has been documented by researchers that the ability to execute local system files from a web context could pose a significant security threat, due to the wide variety of unintended outcomes this could have. Based on the findings that have been obtained as a result of the investigation that has been conducted, there is little doubt that My Flow operates in part as a result of the installation of an extension known as the Opera Touch Background that is already installed on your browser. 

Besides being able to open and download files to your local system, this extension also has extensive permissions that are considerably more extensive than they are with other extensions. Opera Touch Background enables the desktop version of the browser to interact with the mobile version of the browser. 

It is a built-in browser extension that comes pre-installed with the mobile version of the browser enabling the interaction between the desktop and mobile versions. As the name suggests, this extension allows for communication between the mobile and desktop versions of the web browser. 

In addition, this means that the extension carries a manifest file that sets out all the permissions and behaviours that it needs to be able to perform, such as the externally_connectable property that identifies which websites and extensions can be connected to it. 

Although the majority of Opera's production servers do not appear to have any known vulnerable assets at the moment, there is always the possibility that such issues may recur in the future due to human error or new updates of code that are vulnerable to exploiting XSS.
Share it:

Cyber Attacks

CyberCrime

Cyberhackers

Cybersecurity

MyFlaw Bug

Opera Browser