'CrossBarking' Attack Targeted Secret APIs, Exposing Opera Browser Users
Using a malicious Chrome extension, researchers showed how an attacker could use a now-fixed bug to inject custom code into a victim's Opera browser to exploit special and powerful APIs, used by developers and typically saved for only the most trusted sites.
October 30, 2024
Researchers have uncovered a fresh browser attack that compromises "private" application programming interfaces (APIs) in Opera to allow carte blanche over victims' browsers.
Browser APIs provide a bridge between Web applications and browser functionalities — including those related to security, storage, performance optimization, geolocation, and more — enabling the websites you visit to provide better, more robust features and experiences. Most browser APIs are publicly known, available to all, and rigorously reviewed.
Companies, however, have a habit of giving special permissions to their own preferred apps and sites. The Opera browser, for example, saves "private" APIs for several preferred third-party domains — such as Instagram, Atlassian, and Russia's Yandex and VK — as well as its own internal development domains, and those that are publicly reachable in the production version of the browser.
These private APIs may be useful for developers, but researchers from Guardio demonstrated how they could be accessed by hackers, too, allowing cyberattackers an array of powers imaginable from a browser: changing settings, hijacking accounts, disabling security extensions, adding further malicious extensions, and more. They did so with a canine-themed proof-of-concept attack they called "CrossBarking."
CrossBarking Opera Browser Attack
The goal of CrossBarking is to run malicious code in the context of sites with access to those powerful, private APIs. To do that, one could make use of, for example, a cross-site scripting (XSS) vulnerability. Or, even easier, a malicious browser extension.
Getting a malicious extension onto Opera is no small feat. Many a developer has complained about just how drawn out its manual review process can be — taking months or even years in some cases. The upside is the comfort that Opera's 350 million active users enjoy: that the extensions they add to their browsers have been well and thoroughly vetted.
That isn't as much the case, however, for Chrome extensions, which Opera allows its users to download. Chrome add-ons undergo a largely automated review process, and might go live within just hours or days of being submitted for approval.
So, to leverage privileged Opera sites, Guardio researchers developed a Chrome extension, not an Opera one. They designed it to add pictures of puppies to webpages — a guise for running scripts on any given site — and covered its maliciousness enough to get approved on the Chrome store. If a puppy-loving Opera user adopted the extension and visited a site with private API access, it would perform a direct script injection attack to run malicious code and gain access to any powers afforded by those private APIs.
To demonstrate the full breadth of power afforded by CrossBarking, Guardio researchers targeted the settingsPrivate API, which allows for reading and editing any available browser settings. They used settingsPrivate to change a hypothetical victim's Domain Name System (DNS) settings, funneling all of their browser activity through a malicious DNS server. From there, the researchers had full view into the victim's browsing activity, plus the ability to manipulate the content of webpages or redirect the victim to malicious pages.
"You could almost take control over the entire browser, and the computer hosting it," explains Nati Tal, head of Guardio Labs. Though his PoC focused on changing a specific browser setting, "in the same way, you can change any other setting. There are many more APIs to hack — [we didn't] have enough time to check all of the possibilities."
Security vs. Functionality in Browser APIs
In the eternal struggle between functionality and security, browser developers will not easily part with the special APIs that allow them powers beyond those afforded to the hoi polloi. That applies to Opera, and other browsers as well. In May, Guardio discovered a not-dissimilar issue with a private API used for marketing in another Chromium browser, Microsoft Edge.
To fix the CrossBarking issue, Opera did not do away with its private APIs or its Chrome extension cross-compatibility. On Sept. 24, though, it did adopt a sort of quick-fix solution already implemented in Chrome: blocking the ability of any extension to run scripts on domains with private API access.
"The infrastructure of Chromium is [such that] vendors need to take control of their security, and think about all the possible attack vectors there are. There are so many possible vectors," Tal concludes.
He adds: "In this case, again, it wasn't even in their [app store]. Opera is not responsible for Chrome Store, but they do allow extensions from there, so they need to think about it as well. [They have to see] the entire ecosystem, not only this vulnerability, to keep up with the threat."
In a statement to Dark Reading, a representative of Opera wrote that "Responsible disclosure is a big part of our ongoing work with third-party researchers — it helps us identify security flaws and fix them before they have had a chance to be exploited by bad actors. We would like to thank Guardio for their diligence and care in reporting this issue, and we will be carefully reviewing the way that web app features are enabled in the browser to avoid similar issues in the future."
About the Author
You May Also Like