Researcher reveals ‘catastrophic’ security flaw in the Arc browser

A security researcher named xyz3va discovered a severe vulnerability in the Arc browser that allowed attackers to insert arbitrary code into other users' browser sessions using only a user ID. The vulnerability, known as CVE-2024-45489, was caused by a misconfiguration in The Browser Company's implementation of Firebase for storing user information. The exploit relied on the Arc Boosts feature, which allows users to customize websites with custom CSS and JavaScript. The Browser Company's misconfigured Firebase ACLs allowed users to change the creatorID of a Boost, enabling any Boost to be assigned to any user. This vulnerability could have allowed attackers to create a Boost with arbitrary code and add it to a victim's Arc account without their knowledge or action. The Browser Company responded quickly to the bug report, patching the vulnerability on August 26th and disclosing it publicly. According to the company, its logs indicate that no users were affected by the flaw. The company is implementing several security improvements, including setting up a bug bounty program, moving off of Firebase, and hiring additional security staff. The company is also disabling custom JavaScript on synced Boosts to prevent similar vulnerabilities in the future. The Browser Company's swift response and proactive measures aim to prevent such vulnerabilities from occurring again.