Security researcher “xyz3va” on X uncovered a significant vulnerability in the Arc browser that could have exposed users to malicious attacks.
The flaw, CVE-2024-45489, allowed attackers to run arbitrary code on other users’ browsers by exploiting Arc’s Boost feature, a suite of tools within Arc browser that allow users to customize the look and feel of websites.
Vulnerability Details, Patch, and Security Improvements
According to a security bulletin released by Arc Browser, the exploit was linked to a misconfiguration in Arc’s use of Firebase, a Google-supported backend service used to store user data, including Boosts.
Researcher xyz3va discovered the vulnerability while exploring Arc’s Boost feature on August 25.
By manipulating user IDs linked to Boost, xyz3va demonstrated that an attacker could inject malicious code into a victim’s browser without the user’s knowledge or consent. She obtained user IDs through web scraping techniques and demonstrated that arbitrary code could run whenever the victim visited a specific website. This gave bad actors control over the victim’s browser session.
However, the vulnerability was patched on August 26, and an internal investigation revealed that no users had been affected. Arc paid the researcher a $2,000 bounty for their efforts.
This vulnerability in Arc Browser by @browsercompany is so damning, that I can no longer trust they are taking user security and privacy seriously. https://t.co/DIviRiqGrM
Worst part is that Arc store every site you visit. pic.twitter.com/TNfDQEcmme
— Ben Sassoon (@bensassoon) September 20, 2024
The Browser Company responded swiftly, making immediate security enhancements. These included disabling JavaScript on synced Boosts by default and moving away from Firebase for future features to prevent similar issues.
Additionally, the company launched an emergency external audit of its Firebase configurations to ensure there were no further vulnerabilities.
The company also plans regular security audits every six months and is now working to upgrade its security architecture and processes to prevent future breaches.
This incident marks Arc’s first vulnerability of this scale. So far, the Browser company is using it as a critical learning moment.
The company has committed to refining its response to security flaws and improving its bounty program to incentivize researchers further.
we've been hard at work on Arc 2.0 @browsercompany
we just published our 5th (weekly) audio diary entry about the good, bad, and ugly.
we'll continue to share more nuanced, honest takes over on the podcast platform of your choice (vs here)… pic.twitter.com/VeLANHHLKK
— Josh Miller (@joshm) August 21, 2024
With these improvements, Arc aims to strengthen its security and prevent similar vulnerabilities from being exploited in the future.