Security Researcher Reveals Critical Bug in Arc Browser’s Boost Feature

Why Trust Techopedia
Key Takeaways

  • A security researcher has uncovered a critical vulnerability in the Arc browser.
  • The flaw, CVE-2024-45489, was discovered in Arc's Boost feature, which allows custom website modifications.
  • The vulnerability was patched on August 26, with no users reportedly affected.

Security researcher “xyz3va” on X uncovered a significant vulnerability in the Arc browser that could have exposed users to malicious attacks. 

The flaw, CVE-2024-45489, allowed attackers to run arbitrary code on other users’ browsers by exploiting Arc’s Boost feature, a suite of tools within Arc browser that allow users to customize the look and feel of websites.

Vulnerability Details, Patch, and Security Improvements

According to a security bulletin released by Arc Browser, the exploit was linked to a misconfiguration in Arc’s use of Firebase, a Google-supported backend service used to store user data, including Boosts.

Researcher xyz3va discovered the vulnerability while exploring Arc’s Boost feature on August 25.

By manipulating user IDs linked to Boost, xyz3va demonstrated that an attacker could inject malicious code into a victim’s browser without the user’s knowledge or consent. She obtained user IDs through web scraping techniques and demonstrated that arbitrary code could run whenever the victim visited a specific website. This gave bad actors control over the victim’s browser session.

However, the vulnerability was patched on August 26, and an internal investigation revealed that no users had been affected. Arc paid the researcher a $2,000 bounty for their efforts.

The Browser Company responded swiftly, making immediate security enhancements. These included disabling JavaScript on synced Boosts by default and moving away from Firebase for future features to prevent similar issues.

Additionally, the company launched an emergency external audit of its Firebase configurations to ensure there were no further vulnerabilities.

The company also plans regular security audits every six months and is now working to upgrade its security architecture and processes to prevent future breaches.

This incident marks Arc’s first vulnerability of this scale. So far, the Browser company is using it as a critical learning moment.

The company has committed to refining its response to security flaws and improving its bounty program to incentivize researchers further.

With these improvements, Arc aims to strengthen its security and prevent similar vulnerabilities from being exploited in the future.