The Arc web browser, recently released on Windows, has experienced its first major security incident. An independent researcher has discovered a vulnerability that allows users to take control of other users’ browsers, without them even having to visit a malicious site. But don’t panic, the problem was quickly fixed.
An exploit based on “Arc Boosts”
The flaw in question was discovered by “xyzeva”, a security expert. It concerned the “Arc Boosts” feature that allows users to customize any website with custom CSS and JavaScript code. To prevent abuse, Arc had taken care to assign each Boost to a unique user ID.
But as she explored this feature, xyzeva realized that she could change this ID at will. She could then assign a malicious Boost, containing arbitrary code, to another user’s ID. When the user launched Arc, the browser would retrieve the rigged Boost and execute it whenever the user visited the targeted site.
No users affected due to responsible reporting
Fortunately, xyzeva being a white hat, she immediately reported this flaw to the Arc team before talking about it publicly. The developers were able to fix the problem immediately and verify that no users had been compromised, apart from the researcher herself during her tests.
Hursh Agrawal, CTO and co-founder of The Browser Company, which publishes Arc, reassured the community in a detailed blog post. He explains the causes of this vulnerability (a misconfiguration of Firebase, the backend used by Arc) and the measures taken to remedy it.
Arc strengthens its security and communication
Beyond the technical fix, already deployed, Arc intends to learn lessons from this incident:
- Disable JavaScript by default in Synchronized Boosts
- Ability for businesses to completely disable Boosts via management tools
- Gradual migration of features to a backend other than Firebase
- In-depth security audit of existing systems
- Implementation of a “security bulletin” to better communicate on these subjects
- Recruitment of a senior security engineer to strengthen the team
Despite the seriousness of this flaw, Arc’s responsiveness and transparency are commendable. Hopefully, this will encourage them to be extra vigilant as their browser gains popularity. Users will appreciate being kept informed of these types of incidents, rather than learning about them months later in the press.
