CrossBarking: How a New Attack Targets Opera’s Secret APIs
This blog explores the CrossBarking exploit, a newly discovered attack targeting Opera's private APIs. It delves into how attackers use malicious Chrome extensions to inject harmful scripts, manipulate browser settings, and pair the exploit with XSS attacks for greater impact. Defensive measures, including stricter API permissions and enhanced extension vetting, are also discussed to help mitigate such threats.
Cybersecurity researchers recently uncovered a new browser exploit named CrossBarking that abuses hidden “private” APIs within the Opera browser, potentially giving attackers extensive control over a victim's system. Opera, like many browsers, reserves these APIs for trusted domains, enabling functionality extensions that can improve user experience. However, this convenience opens doors for exploitation if security isn’t adequately maintained.
The CrossBarking Attack Flow
- Malicious Chrome Extension: Opera’s support for Chrome extensions allows attackers to bypass Opera's rigorous extension review process. Guardio Labs researchers created a benign-seeming Chrome extension, disguised as a tool that adds puppy images to webpages, which was able to pass Chrome’s lighter vetting.
- Injection of Malicious Code: When the extension is installed on Opera, it injects scripts into Opera’s trusted sites whenever a user with the extension visits them. This direct script injection abuses Opera’s secret APIs.
- Access to Private API Controls: Through the settingsPrivate API, attackers can change browser settings without the user’s knowledge. For example, they redirected the victim’s DNS settings to a malicious server, allowing them to monitor browsing activity, intercept data, and manipulate web content.
Cross-Site Scripting (XSS) and CrossBarking
CrossBarking can also pair with cross-site scripting (XSS) attacks to broaden its reach. Malicious scripts on trusted websites can deepen the attack, allowing hackers to hijack browser sessions, capture sensitive data, or further exploit Opera’s private APIs.
Defensive Measures
In response, Opera has blocked Chrome extensions from injecting scripts on domains with private API access. However, additional defensive steps include:
- Limit Exposure of Private APIs: Reducing API permissions to essential services minimizes risk.
- Strengthened Vetting: Enhanced review processes for extensions shared across browsers can help prevent similar exploits.
- User Caution: Regularly reviewing installed extensions and permissions can help users spot suspicious behavior.
CrossBarking reveals the complex balance between usability and security. By recognizing these risks, both users and developers can better guard against sophisticated browser attacks.
References
- DarkReading, “CrossBarking Attack Targets Secret APIs, Exposes Opera Browser Users”, https://www.darkreading.com/vulnerabilities-threats/crossbarking-attack-secret-apis-expose-opera-browser-users
- Guardio Labs, “CrossBarking: Attack on Opera’s Private APIs,” https://medium.com/@guardiosecurity/crossbarking-exploiting-a-0-day-opera-vulnerability-with-a-cross-browser-extension-store-attack-db3e6d6e6aa8
- National Institute of Standards and Technology (NIST), “Guidelines on Browser Security and API Privilege Management,” NIST SP-800-125
Edited By: Windhya Rankothge
