Join the CyberIntelMatrix Free Membership Program today and be part of a constantly evolving CTI community

    This site is protected by reCAPTCHA and the Google and Terms of Service apply

    Back

    CrossBarking: New Attack Exploiting Opera’s Private API

    Posted on

    "Illustration of the CrossBarking cybersecurity attack on private APIs within a browser, highlighting the vulnerability in Opera. The image shows a browser window with warning symbols and malicious code representing a cyberattack, with a hacker figure in the background."
    “CrossBarking Attack on Browser Private APIs – Cybersecurity Illustration”

    Guardio researchers recently uncovered a new browser-based cyberattack, known as “CrossBarking,” that exploits private APIs within the Opera browser, revealing significant security vulnerabilities. Private APIs are typically designed to give web applications secure access to various browser functions—like storage, geolocation, or performance enhancement. Most APIs are publicly accessible and rigorously reviewed, but some browsers, like Opera, reserve private APIs for preferred third-party domains, including Instagram, Atlassian, Yandex, and VK. These APIs offer specialized functionalities that can enhance user experience but also pose unique security challenges.

    What is the CrossBarking Attack?

    Opera’s private APIs provide direct access to sensitive browser capabilities. However, these private APIs can also become a target for attackers. Guardio researchers demonstrated that malicious actors could use these APIs to execute unauthorized actions within a victim’s browser, from changing settings and hijacking accounts to disabling security features and installing additional malicious extensions. By employing a playful, dog-themed proof-of-concept, aptly named “CrossBarking,” the researchers showed how cyberattackers could gain considerable control over Opera users’ browsers through private API access.

    The Role and Risks of Private APIs in Browsers

    For CrossBarking to execute malicious code, it relies on cross-site scripting (XSS) vulnerabilities or a malicious browser extension. Opera’s own extensions are generally highly scrutinized, often facing months-long review processes before approval. However, Opera allows users to install Chrome extensions, which are available through the Chrome Web Store and often pass through a less rigorous, automated review process. This discrepancy in security standards opens the door for malicious extensions to target Opera users. To demonstrate this, Guardio researchers developed a benign-looking Chrome extension that appeared to add pictures of puppies to webpages. However, in reality, this extension allowed for script injection on websites with private API access, enabling the execution of malicious code and the unauthorized use of Opera’s private APIs.

    Guardio’s Proof of Vulnerability

    In one scenario, Guardio researchers exploited the settingsPrivate API, which permits reading and modifying browser settings, to alter the victim’s DNS configuration. By rerouting browser traffic through a malicious DNS server, the researchers gained the ability to observe and manipulate the victim’s browsing activity, including redirecting them to dangerous websites. Nati Tal, the head of Guardio Labs, highlighted that, while their proof-of-concept focused on DNS manipulation, the same approach could target a range of other browser settings, demonstrating the vast potential for abuse.

    This CrossBarking attack exemplifies the delicate balance between security and functionality in browser development. While private APIs offer enhanced capabilities, they also introduce potential attack vectors that browsers must carefully manage. Guardio previously discovered a similar private API vulnerability in Microsoft Edge, another Chromium-based browser, which underscores that these risks are not unique to Opera.

    To address the CrossBarking vulnerability, Opera has implemented a quick-fix solution by preventing extensions from executing scripts on domains with private API access. While this measure may mitigate some risks, Tal points out that browser developers need a comprehensive security strategy that accounts for the entire extension ecosystem. Since Opera allows Chrome extensions, it also inherits some of the security risks associated with Chrome’s automated review process. In a statement to Dark Reading, Opera emphasized the importance of responsible disclosure and thanked Guardio for their efforts. The company is now reviewing how it enables web app features to prevent similar security issues in the future.

    More News: LatestNews by CIM

    Resource: Darkreading.com