Security researchers have recently brought to light a new browser attack that exploits “private” application programming interfaces (APIs) in Opera, granting unauthorized access to control victims’ browsers.
Browser APIs serve as a crucial link between Web applications and browser functionalities, encompassing various aspects such as security, storage, geolocation, and performance optimization. While most of these APIs are generally accessible and undergo thorough review processes, companies often grant special permissions to their preferred apps and websites.
In the case of the Opera browser, certain “private” APIs are reserved for specific third-party domains like Instagram, Atlassian, as well as Opera’s internal development domains, and public domains in the production version of the browser. While these private APIs offer advantages to developers, researchers from Guardio demonstrated how hackers could exploit them to wield extensive control over browsers, including altering settings, compromising accounts, disabling security features, injecting malicious extensions, and more. They showcased their findings through a proof-of-concept attack named “CrossBarking.”
The objective of the “CrossBarking” attack is to execute malicious code within sites that have access to these powerful private APIs. This can be achieved through vulnerabilities like cross-site scripting (XSS) or by deploying a malicious browser extension. Although gaining approval for a malicious extension in Opera can be challenging due to a rigorous manual review process, Chrome extensions, which are compatible with Opera, undergo a quicker, largely automated review, making them a more viable attack vector.
To exploit the privileged access granted by Opera’s private APIs, Guardio researchers devised a Chrome extension disguised as a harmless tool to add puppy pictures to webpages. By leveraging this extension, they were able to conduct script injections on targeted websites that had access to private APIs, enabling them to carry out malicious activities.
As a demonstration of the potential impact of the CrossBarking attack, researchers focused on manipulating the ‘settingsPrivate’ API, which allows for reading and editing browser settings. By altering a victim’s Domain Name System (DNS) settings, researchers could redirect all browser activity through a malicious DNS server, granting them full visibility into browsing activities and the ability to manipulate webpage content or redirect users to malicious sites.
In response to the CrossBarking vulnerability, Opera implemented a mitigation strategy akin to Chrome’s approach by blocking extensions from running scripts on domains with private API access. While this addresses the immediate risk, it underscores the ongoing challenge of balancing functionality and security in browser APIs.
Nati Tal, head of Guardio Labs, emphasized the importance of browser vendors staying vigilant against evolving threats and considering all potential attack vectors. He stressed the need for a comprehensive approach to security encompassing the entire browser ecosystem to effectively mitigate risks and safeguard user data.
Ultimately, the CrossBarking incident serves as a reminder of the constant battle between enhancing functionality and safeguarding user security in the ever-evolving landscape of browser technologies. Opera’s response highlights the necessity for proactive measures to address emerging threats and fortify defenses against future vulnerabilities in browser APIs.