Researcher reveals ‘catastrophic’ security flaw in the Arc browser

Trending 2 weeks ago

A information interrogator revealed a “catastrophic” vulnerability successful nan Arc browser that would person allowed attackers to insert arbitrary codification into different users’ browser sessions pinch small than an easy findable personification ID. The vulnerability was patched connected August 26th and disclosed coming in a blog station by information interrogator xyz3va, arsenic good arsenic a connection from The Browser Company. The institution says that its logs bespeak nary users were affected by nan flaw.

The exploit, CVE-2024-45489, relied connected a misconfiguration successful The Browser Company’s implementation of Firebase, a “database-as-a-backend service,” for retention of personification info, including Arc Boosts, a characteristic that lets users customize nan quality of websites they visit.

In its statement, The Browser Company writes:

Arc has a characteristic called Boosts that allows you to customize immoderate website pinch civilization CSS and Javascript. Since moving arbitrary Javascript connected websites has imaginable information concerns, we opted not to make Boosts pinch civilization Javascript shareable crossed members, but we still synced them to our server truthful that your ain Boosts are disposable crossed devices.

We usage Firebase arsenic nan backend for definite Arc features (more connected this below), and usage it to persist Boosts for some sharing and syncing crossed devices. Unfortunately our Firebase ACLs (Access Control Lists, nan measurement Firebase secures endpoints) were misconfigured, which allowed users Firebase requests to alteration nan creatorID of a Boost aft it had been created. This allowed immoderate Boost to beryllium assigned to immoderate personification (provided you had their userID), and frankincense activate it for them, starring to civilization CSS aliases JS moving connected nan website nan boost was progressive on.

Or, successful nan words of xyz3va,

arc boosts tin incorporate arbitrary javascript

arc boosts are stored successful firestore

the arc browser gets which boosts to usage via the creatorID field

we tin arbitrarily alteration the creatorID field to immoderate personification id

You tin get someone’s creatorID successful respective ways, including referral links, shared easels, and publically shared Boosts. With that info, an attacker could person created a boost pinch arbitrary codification successful it and added it to nan victim’s Arc relationship without immoderate action connected nan victim’s part. That’s bad.

The Browser Company responded quickly — xyz3va reported nan bug to cofounder Hursh Agrawal, demonstrated it wrong minutes, and was added to nan institution Slack wrong half an hour. The bug was patched nan adjacent day, and nan company’s connection specifications a database of information improvements it says it’s implementing, including mounting up a bug bounty program, moving disconnected of Firebase, disabling civilization Javascript connected synced Boosts, and hiring further information staff.

Request Quotation