Arc Browser Fixes Serious Security Vulnerability
The Browser Company, the maker of the Arc browser, has admitted that a security researcher found a critical flaw that allowed attackers to use Boosts to compromise their targets' systems.
The ability to customize websites is one of the advantages that sets the browser apart from its competitors.
The feature called Boosts allows users to change the background color of a website, switch to a font they prefer or one that is easier for them to read, and even remove unwanted elements from the page.
Edits are not supposed to be visible to anyone else, although they can be shared across devices.
In a blog post about the vulnerability written by a security researcher known as xyzeva, she explained that the Browser Company used the database as a Firebase backend service to support several Arc features.
For Boosts, in particular, the company is using Firebase to share and sync customizations across devices.
xyzeva showed how the browser relies on the creatorID to load Boosts across the device, and how someone could change this element to their target ID and set the target Boosts they created.
If an attacker creates malicious Boosts, they can change the creator ID to the creator ID of the intended target.
When the intended victim visits the website via Arc, it downloads the attacker's malware without their knowledge.
The researcher explained that it is very easy to obtain user IDs for the browser, as the user who refers someone to Arc exchanges his ID with the recipient, and if he also creates an account from a referral, the person who sent it also gets his ID.
Users can also exchange Boosts with others, and Arc has a page with public Boosts that includes the creator IDs of the people who made them.
The Browser Company said that Xyzeva notified it about the security issue on August 25 and that it issued a fix with the researcher's help.
It also assured users that no one was able to exploit the vulnerability, and no users were affected. The company has implemented a range of security measures to prevent a similar situation from occurring, including moving from Firebase, disabling JavaScript via simultaneous Boosts by default, creating a bug bounty program, and hiring a new security engineer.