A serious flaw in the Arc browser allowed hackers to execute arbitrary JavaScript code within any user’s browser, at least if they knew the user ID. A security researcher with the alias ‘xyz3va,’ made the discovery and promptly got a reward of 2,000 dollars for doing so, even though The Browser Company, the maker of Arc, had no bug bounty program at the time.
The vulnerability, known as CVE-2024-45489, only affected Arc, not other Chromium-based browsers. The flaw was Arc’s ‘Boosts’ feature, allowing users to customize websites with custom CSS and JavaScript. The browser stores these customizations in Firebase, the Google platform providing real-time databases, analytics, storage and monitoring.
A flaw in the configuration of the Firebase Access Control Lists (ACLs) allowed attackers to change a Boost’s CreatorID. This allowed attackers to assign a malicious Boost to users. These were activated automatically when the website for which the Boost was created was visited.
Quickly fixed
The flaw was reported as early as August 25 to The Browser Company, which fixed it within a day. There is no evidence that the bug has been actively exploited. Users need not to take any further action, although there was some work to do for The Browser Company itself. In response to the incident, Arc is now disabling JavaScript by default in synchronized Boosts. Also, it no longer uses Firebase for new features; The Browser Company now audits existing ACLs and hired a security engineer. A bug bounty program has also been established.
Additional measures include adding Mobile Device Management (MDM) controls and expanding release notes to include security details. The company has also hired a senior security engineer.
Mature issues for a new player
Arc is a relatively new player in the browser and search engine market. With European and foreign regulators taking a stricter line to ensure that Big Tech’s power does not immediately strangle new players in the market, Arc seemingly comes at the right time. However, playing with the big boys also means dealing with security incidents. This was the first incident of any magnitude for the young browser.
The researcher who uncovered the incident also reported that Arc processes data about visited sites, even though its own terms and conditions state that Arc does not track this. Version 1.61.1 should correct this. According to The Browser Company, this tracking happened only when the Boost editor was open, and no data was logged. Nevertheless, “this is against our privacy policy and should have never been in the product to begin with”, the company stated.
Also read: Arc browser tries to give multitaskers the best experience on Windows