The vulnerability, discovered by security researcher RenwaX23, involved the browser's legacy Boost system - a feature that allowed users to create custom browser extensions.
The researcher found that the vulnerability could be exploited through Arc's Easel feature, which enables users to embed and share web content in a whiteboard-like interface.
The attack vector worked by creating a malicious boost that could be embedded within an Easel. If a victim clicked twice - once in the attacker-controlled Easel and once in an Arc-controlled confirmation dialog - the malicious boost could be installed with full disk access permissions.
This was particularly concerning because the boost could appear innocent in the user interface while containing hidden elevated permissions in its manifest file.
In response to the discovery, The Browser Company implemented several security measures:
- Immediate patching of backend sanitization regular expressions used for embedding URLs in Easels
- Addition of new backend rules to enforce specific URL schemas for embeddings
- Implementation of enhanced Easel sanitization protocols
- Complete removal of the legacy boost feature in MacOS Arc version 1.66.0
It's worth noting that this vulnerability only affected Arc on macOS, as the legacy boost feature was never implemented in the Windows version of the browser. The Browser Company awarded a $10,000 bounty to RenwaX23 for responsibly disclosing this security issue.
The vulnerability has been fully addressed through backend infrastructure updates that are automatically applied to all users. While no user action is required to receive these security updates, The Browser Company recommends updating Arc installations as a best practice.