It has been found that one of the highly popular Arc browsers has a huge flaw in its security, possibly leaving millions of users open to attacks. According to the security researcher xyz3va, there lay a “catastrophic” exploit in the architecture of this browser. It could have allowed attackers with nothing more than a user ID to hijack user sessions. Although it was patched in late August, the finding puts a question mark on Arc’s browser safety and, therefore, is a wake-up call for all users of the internet.
Arc Browser Vulnerability: What Happened?
A critical exploit patch landed on the Arc browser on August 26th, 2024, after this researcher showed how attackers could inject random code right into a user’s browser session simply by knowing their user ID. The vulnerability was exposed and publicly demonstrated by a security researcher using the handle xyz3va, who shared the exploit in a recent blog post. Though serious, the issue was hastily patched by Arc’s developers, The Browser Company, which assured in a statement that no users were hurt by the flaw.
This was classified as CVE-2024-45489 and represents a misconfiguration in Arc’s usage of Firebase, a popular cloud-based backend for the storage of user data. In Arc, Firebase was used to store information about users, including data from Boosts, a feature within this browser for customizing how visited websites look. Unfortunately, a weakness within the permissions that Firebase applied to user access could be exploited by malicious actors.
How the Exploit Worked
The bug was in how Arc handled Boosts-a feature to let users inject custom CSS and JavaScript into the websites they visit. The design of Arc was supposed to prevent custom JavaScript from being shared across users for mitigating security risks. But the security vulnerability opened a hole that allowed any third party with access to a user’s creatorID to upload malicious code onto another user’s browser.
As security researcher xyz3va succinctly explained:
- Boosts sit in Firestore
- Arc decides which Boosts to apply, based on the creatorID
- An attacker can manipulate creatorID to inject custom code in another user’s browsing session.
The danger was rather in the easiest access of an attacker to the creatorID of any given user. The ID can be retrieved from shared referral links, shared Arc Easels, and publicly available Boosts. Already having this in hand, hackers could take over another user’s browser and enable malicious scripts to run unbeknownst to the victim.
Immediate Response by The Browser Company
Upon the reporting of the flaw, The Browser Company acted swiftly. According to the company’s statement, the security researcher was able to demonstrate the exploit within minutes of reporting it. The flaw was fixed and patched the next day, and further precautions were made to make sure such a problem would not happen again.
Key steps taken by The Browser Company include:
- Migrating from Firebase to more secure backend solutions.
- Disabling Custom JavaScript in synced Boosts.
- Offering bug bounty programs to incentivize the disclosure of future vulnerabilities.
- Diversifying their internal security team to provide better threat monitoring.
On the user side, it was advised they move to the latest version available to Arc as soon as possible, to defend against potential exploits. You can download the latest version of Arc for macOS and ChromeOS directly from The Browser Company’s website.
The Broader Implications for Browser Security
This vulnerability was patched before any attempts to exploit it in the wild could be observed, but it does shine a light on a far larger problem for browser developers and users alike: how easily personal browsing experiences can be compromised. Internet users are becoming increasingly dependent on browsers such as Arc, managing passwords, conducting sensitive transactions, and much more, which makes vulnerabilities rather terrible outcomes.
In many ways, browser security is an eternal concern as long as companies like Google and Mozilla continue improving their features for customers by catering to user customization-like Boosts or Chrome’s developer tools-but with great customization power comes great risk. Any time a browser allows a user to execute code or scripts, custom, it opens the door to possible vulnerabilities that can be exploited by malicious actors.
Users sensitive about Internet safety already would do well to:
- Keep your browser and its attendant security features updated regularly.
- Be leery of installing third-party extensions or running users scripts, or otherwise, even when they seem benign.
- Enable two-factor authentication, where possible, for added protection.
How to Protect Yourself Against Future Vulnerabilities
Browser-based vulnerabilities are a lucrative target; while firms like The Browser Company move quickly to patch exploits, it’s up to the user to be vigilant. Here are some tips:
- Update Regularly: One must always update when updates are available for one’s browser.
- Avoid Unverified Boosts: Be very careful about any third-party Boosts or extensions, as those are potential entry points for malicious code.
- Keep an eye on your browser settings: On and off, check the security and privacy settings in your browser. Sometimes, this is a mere case of negligence that proves disastrous.
Therefore, kudos to the alertness and response of The Browser Company, who pretty much saved the majority of users from the Arc browser security flaw. Yet, that can always remain a lesson on how to be more prudent and take extra precautions to keep oneself safe online.
Stay updated: Tech News