The Browser Company has announced a security vulnerability in the Arc browser, CVE-2024-45489. The Arc browser vulnerability was discovered on August 25, 2024, and was addressed within a day, ensuring that Arc users remained protected from potential threats.
The Browser Company’s Chief Technology Officer and co-founder, Hursh, reported that the Arc browser vulnerability stemmed from a misconfiguration in the Firebase Access Control Lists (ACLs) used to secure user data.
This flaw had the potential to allow remote code execution on users’ devices, creating a risk where unauthorized individuals could manipulate website functionalities through customized scripts and styles. Fortunately, the company reported that the vulnerability was not exploited by any malicious actor, aside from the security researcher who first reported it.
Timeline of the Arc Browser Vulnerability
On August 25, 2024, a vulnerability in the Arc browser was discovered by The Browser Company. The following day, on August 26, 2024, the issue was patched, and the fix was rolled out to all users. Hursh emphasized that, despite the seriousness of this security incident, no users were affected. A thorough review of Firebase access logs confirmed that the only changes to creator IDs of custom “Boosts” were made by the reporting researcher.
Arc includes a feature known as “Boosts,” which allows users to customize websites using custom CSS and JavaScript. While this feature offers great flexibility, it also raises security concerns, prompting The Browser Company to limit the sharing of Boosts with custom JavaScript among users.
Unfortunately, the Arc browser vulnerability resulted from misconfigured Access Control Lists (ACLs), which permitted unauthorized changes to the creator ID associated with a Boost. This flaw could have enabled users to execute their custom scripts on the devices of other users, thereby posing a risk.
Mitigation Measures
In response to the Arc browser vulnerability, the company took immediate action. The ACL misconfiguration was promptly fixed, and a comprehensive analysis was undertaken to ensure that no unauthorized activity had occurred. The company expressed gratitude to the security researcher, xyz3va, for their responsible disclosure and collaboration in patching the vulnerability.
Several key mitigation strategies were implemented following this incident:
- The Browser Company has initiated an in-depth external audit of their existing Firebase ACLs to identify any potential vulnerabilities.
- Custom JavaScript in synced Boosts will be disabled by default, requiring explicit user permission to enable them.
- The company plans to transition away from Firebase for new features, reducing the risk of future ACL-related vulnerabilities.
- A new communication channel will be created to keep users informed about security vulnerabilities, mitigation strategies, and any affected parties.
- Although a formal bug bounty program is still in the works, the company has already begun awarding bounties for reported vulnerabilities.
- To bolster their security efforts, The Browser Company has hired a new senior security engineer.
Future Directions
The Browser Company stated that they have recognized the need for continuous improvement in its security practices and user communication. By implementing stricter protocols and enhancing its response framework, The Browser Company aims to reassure its users of their commitment to security.
The Browser Company is dedicated to learning from this experience and strengthening its security posture to protect users effectively in the future. For users of the Arc browser, no action is required at this time, as the vulnerability has been fully addressed.
