Researcher reveals ‘catastrophic’ security flaw in the Arc browser

2 months ago 31

A information researcher revealed a ‘catastrophic’ vulnerability successful the Arc browser that would person allowed attackers to insert arbitrary codification into different users’ browser sessions with small than an easy findable idiosyncratic ID. The vulnerability was patched connected August 26th and disclosed contiguous in a blog station by information researcher xyz3va, arsenic good arsenic a connection from The Browser Company. The institution says that its logs bespeak nary users were affected by the flaw.

The exploit, CVE-2024-45489, relied connected a misconfiguration successful The Browser Company’s implementation of Firebase, a “database-as-a-backend service,” for retention of idiosyncratic info, including Arc Boosts, a diagnostic that lets users customize the quality of websites they visit.

In its statement, The Browser Company writes:

Arc has a diagnostic called Boosts that allows you to customize immoderate website with customized CSS and Javascript. Since moving arbitrary Javascript connected websites has imaginable information concerns, we opted not to marque Boosts with customized Javascript shareable crossed members, but we inactive synced them to our server truthful that your ain Boosts are disposable crossed devices.

We usage Firebase arsenic the backend for definite Arc features (more connected this below), and usage it to persist Boosts for some sharing and syncing crossed devices. Unfortunately our Firebase ACLs (Access Control Lists, the mode Firebase secures endpoints) were misconfigured, which allowed users Firebase requests to alteration the creatorID of a Boost aft it had been created. This allowed immoderate Boost to beryllium assigned to immoderate idiosyncratic (provided you had their userID), and frankincense activate it for them, starring to customized CSS oregon JS moving connected the website the boost was progressive on.

Or, successful the words of xyz3va,

arc boosts tin incorporate arbitrary javascript

arc boosts are stored successful firestore

the arc browser gets which boosts to usage via the creatorID field

we tin arbitrarily alteration the creatorID field to immoderate idiosyncratic id

You tin get someone’s creatorID successful respective ways, including referral links, shared easels, and publically shared Boosts. With that info, an attacker could person created a boost with arbitrary codification successful it and added it to the victim’s Arc relationship without immoderate enactment connected the victim’s part. That’s bad.

The Browser Company responded rapidly — xyz3va reported the bug to co-founder Hursh Agrawal, demonstrated it wrong minutes, and was added to the institution Slack wrong fractional an hour. The bug was patched the adjacent day, and the company’s connection details a database of information improvements it says it’s implementing, including mounting up a bug bounty program, moving disconnected of Firebase, disabling customized Javascript connected synced Boosts, and hiring further information staff.

Read Entire Article