Windows and macOS systems could be compromised to facilitate the execution of any file through the exploitation of an already addressed remote code execution flaw in the Opera browser, reports The Hacker News.
Attackers exploited the flaw, dubbed "MyFlaw" as it stemmed from Opera's My Flow functionality that allowed message and file syncing between devices, through a malicious extension that evaded Opera's sandbox and process to distribute the file executing payload, according to a report from the Guardio Labs research team.
Opera's My Flow was also found to have an old forgotten version that features a script tag seeking a JavaScript file without the need for any integrity checking while not having the content security policy meta tag. Such exploitation indicates the growing sophistication of browser-based attacks, said researchers.
"This underscores the need for internal design changes at Opera and improvements in Chromium's infrastructure. For instance, disabling third-party extension permissions on dedicated production domains, similar to Chrome's web store, is recommended but has not yet been implemented by Opera," researchers added.