A significant vulnerability was discovered in the Arc browser, developed by The Browser Company. The flaw, now identified as CVE-2024-45489, potentially allowed attackers to insert arbitrary code into other users’ browser sessions through a feature called "Boosts."
The vulnerability was uncovered by a security researcher known as xyz3va, who detailed the discovery process in a comprehensive blog post.
According to the researcher, the issue stemmed from a misconfiguration in Arc's Firebase Access Control Lists (ACLs), which are used to secure endpoints for various browser features.
At the heart of the vulnerability was Arc's Boost feature, which allows users to customize websites with custom CSS and JavaScript. While the browser developers had taken precautions to prevent sharing of Boosts containing custom JavaScript due to potential security concerns, they still synced these Boosts to their server to enable cross-device functionality for individual users.
The flaw in the Firebase ACLs permitted users to modify the "creatorID" of a Boost after its creation. This meant that a malicious actor could potentially assign any Boost to any user, provided they had access to the target's userID. As a result, custom CSS or JavaScript allows attacker to insert arbitrary code into other users’ browser sessions.
Hursh Agarwal, CTO and Co-founder of The Browser Company, responded promptly to the disclosure with a detailed security advisory. He confirmed that the vulnerability existed in Arc prior to August 25, 2024, and was patched on August 26, 2024, following the researcher's private report.
In a reassuring statement for Arc users, Agarwal emphasized that their internal investigations found no evidence of exploitation beyond the security researcher's controlled tests.
"We've patched the vulnerability immediately, already rolled out the fix, and verified that no one outside of the security researcher who discovered the bug has exploited it. This means no members were affected by this vulnerability," Agarwal stated.
The Browser Company's response to the incident has been swift and transparent. They have implemented several measures to prevent similar issues in the future and improve their security posture:
- Fixing privacy concerns related to website information leakage during Boost editor usage.
- Disabling JavaScript on synced Boosts by default, requiring explicit user activation for cross-device JavaScript Boosts.
- Introducing MDM configuration options to disable Boosts organization-wide.
- Transitioning away from Firebase for new features and products to mitigate future ACL-related vulnerabilities.
- Conducting a comprehensive audit of existing Firebase ACLs.
- Establishing clearer guidelines for bug bounties and improving communication around security vulnerabilities.
The company has also taken steps to strengthen its security team, including the hiring of a new senior security engineer.
While the potential impact of this vulnerability was significant, the quick response and apparent lack of exploitation in the wild have mitigated immediate risks to Arc users.
Researcher noted that, this is an arbitrary javascript execution on any website without any user interaction, even without visiting to attackers website.
note: doesn't even require you to go to an attackers website
— xyzeva (@xyz3va) September 19, 2024
The discovery has also sparked discussions about the privacy implications of certain browser functionalities. The researcher noted that Arc was sending data about visited websites to its servers when the Boost feature was active, which contradicted the browser's privacy policy. The Browser Company has acknowledged this issue and committed to addressing it in their v1.61.1 update.
As web browsers continue to evolve and introduce new features, the balance between innovation and security remains a critical concern.
Users of the Arc browser are encouraged to ensure they are running the latest version of the software, which includes the security patch for this vulnerability.