Popular Arc Browser Is Working to Fix a Serious Security Vulnerability
In late August, The Browser Company, the company behind the popular Arc browser for Mac, identified a critical vulnerability in the browser that could allow remote code execution on other users’ machines without direct interaction. While the company quickly patched the vulnerability after being alerted, it’s important to know the details of the threat. According to The Browser Company, the vulnerability has not affected any users so far and no immediate Arc update is required to ensure protection. The company confirmed that this incident represents “the first serious security issue in Arc’s history.”
Security researcher xyz3va filed a confidential report with Arc, noting that the discovered vulnerability was related to the Boost feature, which allows users to customize their websites with their own CSS and JavaScript. While Arc has demonstrated that exchanging custom JavaScript can be risky, it has never officially allowed Boost to be exchanged with custom JavaScript. However, the attacker found a vulnerability in this system, which poses a potential risk.
In short, Arc still uses JavaScript to store custom enhancements on its servers for cross-device syncing. Additionally, Arc uses Firebase as a backend for some features, and a misconfiguration was found that allowed users to modify their creator ID after the enhancement was created. This situation created a potential security vulnerability, because if a user were able to obtain someone else’s ID, they could change it to their own and sync enhancements to said user’s device, which is a serious risk.
To address this issue, JavaScript will be disabled in Sync Boost by default to prevent similar attacks in the future. The company also plans to integrate Firebase into new features and products, as well as provide security mitigations in the Arc release notes to provide greater transparency. Additionally, they have plans to expand their security team and recently hired a new security engineer.
Arc Browser Fixes Serious Security Vulnerability