In a recent disclosure, cybersecurity researchers found a critical security flaw, MyFlaw, affecting the Opera web browser on Microsoft Windows and Apple macOS.
The vulnerability, leading to remote code execution, exploits the My Flow feature, designed explicitly for syncing messages and files between desktop and mobile devices.
Exploiting My Flow Feature
Guardio Labs explained that the flaw utilizes a controlled browser extension associated with My Flow, bypassing the browser’s sandbox and the entire process.
My Flow, featuring a chat-like interface, facilitates the exchange of notes and files. The flaw arises from a built-in extension, “Opera Touch Background,” responsible for communication with the mobile counterpart.
This extension has its manifest file specifying permissions and behavior.
Domain Vulnerability and Attack Chain
The flaw is rooted in the extension’s exposure to certain domains, which, if manipulated, can compromise the messaging API.
Guardio Labs discovered an outdated My Flow landing page that lacked crucial security measures, making it a potential target for code injection.
The attack involves making a deceptive extension masking it as a mobile device to pair with a user’s computer, transmitting a malicious payload, and executing it with the user’s unintentional click.
Opera’s Response and Recommendations
The company acknowledged the importance of collaboration with Guardio Labs, emphasizing their commitment to security.
Opera advocated for internal design changes and suggested improvements in Chromium’s infrastructure to enhance browser security.
SEC Assures No Widespread Breach After Social Media Hack
The US Securities and Exchange Commission (SEC) faced a brief hack of its X account, prompting concerns about potential broader system compromises.
However, the SEC has clarified that the breach was limited to its social media account, and no evidence suggests an intrusion into SEC systems or data.
Timeline of the Social Media Hack
The SEC disclosed more details about the timeline of the incident. On January 9th, an unauthorized party hacked into the SEC’s social media account, posting a message attributed to SEC chair Gary Gensler about the ‘false approval’ of a new bitcoin EFT at 4:11 p.m. ET.
Subsequently, a second post mentioning “$BTC” was broadcast two minutes later and later deleted.
The Office of Public Affairs intervened at 4:26 p.m., alerting the public about the compromise and successfully removing the unauthorized post by 4:42 p.m. During the incident, the hacker also liked two posts from non-SEC accounts, which were promptly unliked.
Swift Response and Collaboration with X
Engaging X for assistance, the SEC managed to eject the hacker from the account between 4:40 p.m. and 5:30 p.m.
While the fictitious post led to a temporary surge in bitcoin prices, the SEC highlighted ongoing efforts to investigate potential market manipulation and the resulting profits by some traders.
Cyber Security is For Everyone
Despite operating within sandboxed environments, browser extensions can be potent tools for hackers, necessitating continual improvements in security measures.
Opera assured users of a swift resolution to the security hole and ongoing efforts to prevent similar issues in the future.
On the other hand, incidents such as the SEC account breach is a reminder that even the most reliable organizations can be hacked and used for deceptive measures.
Marrium Akhtar
January 16, 2024
4 months ago
