Opera GX Bug Let Any Website Silently Install a Data-Stealing Add-On
Researchers rebuilt a signed-in user's Gmail address from one page visit. Opera has patched the flaw.

Key points
- Researchers found a flaw in Opera GX, the gaming-focused version of the Opera web browser, that let a booby-trapped website install a browser add-on without the user clicking anything.
- In a proof of concept, the researchers rebuilt a signed-in user's full Gmail address from a single visit to a malicious page.
- Opera has fixed the flaw and says it has seen no sign that real attackers used it against users.
- The bug sat inside Opera's own trusted install process, which is why the browser waved the add-on through without a prompt.
Security researchers have disclosed a flaw in Opera GX, a version of the Opera browser aimed at gamers, that let a malicious website quietly install a browser add-on on a visitor's machine and then use it to scrape data from other pages the person opened.
No click. No warning. Just an open tab.
The finding was first reported by The Hacker News. Opera has since patched the issue and told researchers it found no evidence anyone exploited it in the wild.
How did the attack actually work?
Opera GX trusted certain Opera-owned web pages to trigger add-on installs on the user's behalf, and the researchers found a way to abuse that trust. A browser add-on, sometimes called an extension or a mod, is a small program that plugs into the browser and can read or change the pages you visit.
Normally, installing one asks for your permission. In this case, the researchers showed that a malicious site could piggyback on Opera's own install machinery and skip the permission prompt entirely.
Once the add-on was in place, it had the access any add-on would: it could see the contents of the tabs the victim opened next.
To prove the point, the researchers built a demo add-on that pulled the signed-in Gmail address out of a visit to Google. One page load was enough to hand over the victim's email identity.
From an attacker's view, that is a foothold. An email address tied to a real, logged-in session is the seed for targeted phishing, where criminals send fake messages designed to trick a specific person into handing over passwords or codes.
What kind of data was at risk?
Any data visible on a page the victim loaded after the add-on was installed. That includes email addresses, account names, order details, message contents, and anything else the browser renders on screen.
It did not, on its own, hand over saved passwords or banking credentials. But an add-on with page-reading powers is a strong platform to build more on, and the researchers were clear that Gmail was just a demo target.
Has Opera fixed it?
Yes. Opera issued a fix through the browser's normal update channel and told the researchers its telemetry showed no exploitation. The company has not, at time of writing, published a dedicated security advisory with a CVE identifier attached.
Opera GX is used by millions of people, many of them younger users drawn in by the browser's gaming features and customisation. That audience is a large part of why this bug matters: casual users rarely audit which add-ons are running.
What should Opera GX users do?
Open the browser, go to the About page, and check that Opera GX has updated to the latest version. Restart the browser if it prompts you.
Then open the Extensions page and look at the list. If you see an add-on you do not recognise, remove it. Change the password on any account you were signed into during the affected period, starting with your primary email.
Turn on two-factor authentication on that email account if you have not already. It is the single most useful thing an ordinary user can do to blunt the follow-on damage from a stolen email address.



