Critical Opera GX mod flaw allowed cross‑site data theft
🔒 An independent researcher discovered a critical vulnerability in Opera GX where GX Mods auto-install on download with no permission prompt, allowing an attacker to inject CSS across all pages. This behavior enabled a zero-click XS-Leak to recover a victim's Gmail address and facilitated a DoS crash when mods were forced into private mode. The issue was reported in February, patched on May 8, and the PoC was published on July 3.
