Jump to content
  • Researcher reveals ‘catastrophic’ security flaw in the Arc browser


    Karlston

    • 385 views
    • 3 minutes
     Share


    • 385 views
    • 3 minutes

    An exploit patched last month could have allowed attackers to access anyone’s browser just by knowing their user ID.

    A security researcher revealed a “catastrophic” vulnerability in the Arc browser that would have allowed attackers to insert arbitrary code into other users’ browser sessions with little than an easily findable user ID. The vulnerability was patched on August 26th and disclosed today in a blog post by security researcher xyz3va, as well as a statement from The Browser Company. The company says that its logs indicate no users were affected by the flaw.

     

    The exploit, CVE-2024-45489, relied on a misconfiguration in The Browser Company’s implementation of Firebase, a “database-as-a-backend service,” for storage of user info, including Arc Boosts, a feature that lets users customize the appearance of websites they visit.

     

    In its statement, The Browser Company writes:

     

    Arc has a feature called Boosts that allows you to customize any website with custom CSS and Javascript. Since running arbitrary Javascript on websites has potential security concerns, we opted not to make Boosts with custom Javascript shareable across members, but we still synced them to our server so that your own Boosts are available across devices.

     

    We use Firebase as the backend for certain Arc features (more on this below), and use it to persist Boosts for both sharing and syncing across devices. Unfortunately our Firebase ACLs (Access Control Lists, the way Firebase secures endpoints) were misconfigured, which allowed users Firebase requests to change the creatorID of a Boost after it had been created. This allowed any Boost to be assigned to any user (provided you had their userID), and thus activate it for them, leading to custom CSS or JS running on the website the boost was active on.

    Or, in the words of xyz3va,

     

    arc boosts can contain arbitrary javascript

     

    arc boosts are stored in firestore

     

    the arc browser gets which boosts to use via the creatorID field

     

    we can arbitrarily change the creatorID field to any user id

    You can get someone’s creatorID in several ways, including referral links, shared easels, and publicly shared Boosts. With that info, an attacker could have created a boost with arbitrary code in it and added it to the victim’s Arc account without any action on the victim’s part. That’s bad.

     

    The Browser Company responded quickly — xyz3va reported the bug to cofounder Hursh Agrawal, demonstrated it within minutes, and was added to the company Slack within half an hour. The bug was patched the next day, and the company’s statement details a list of security improvements it says it’s implementing, including setting up a bug bounty program, moving off of Firebase, disabling custom Javascript on synced Boosts, and hiring additional security staff.

     

    Source


    RIP Matrix | Farewell my friend  :sadbye:

     

    Hope you enjoyed this news post.

    Thank you for appreciating my time and effort posting news every single day for many years.

    2023: Over 5,800 news posts | 2024 (till end of August): 3,792 news posts


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...