A security researcher recently uncovered a “catastrophic” vulnerability in the Arc browser that could have allowed attackers to inject arbitrary code into other users’ browser sessions using only a readily accessible user ID.
The issue was patched on August 26th and publicly disclosed today in a blog post by researcher xyz3va, along with a statement from The Browser Company. According to the company, logs show that no users were impacted by the flaw.
The vulnerability, identified as CVE-2024-45489, stemmed from a misconfiguration in The Browser Company’s use of Firebase, a service providing backend database storage for user information, including Arc Boosts—a feature that lets users customize the look of websites with custom CSS and JavaScript.
In its official statement, The Browser Company explained:
Arc has a feature called Boosts that allows users to apply custom CSS and JavaScript to any website.
Since running arbitrary JavaScript on websites poses security risks, we decided not to allow Boosts with custom JavaScript to be shared across users. However, we still synced them to our server so users could access their Boosts across devices.
We use Firebase for some Arc features, including syncing and sharing Boosts.
Unfortunately, our Firebase Access Control Lists (ACLs) were misconfigured, which meant users could modify the creatorID of a Boost after its creation.
This flaw allowed any Boost to be assigned to any user (if the attacker had the user’s ID), activating the Boost with custom CSS or JavaScript on the targeted website.
In the words of xyz3va:
- arc boosts can contain arbitrary javascript
- arc boosts are stored in firestore
- the arc browser gets which boosts to use via the creatorID field
- we can arbitrarily change the creatorID field to any user id
Obtaining someone’s creatorID was relatively easy through referral links, shared easels, or publicly shared Boosts.
With that ID, an attacker could have inserted malicious code into a custom Boost and activated it in the victim’s Arc browser without any involvement from the victim—an extremely serious security flaw.
The Browser Company acted swiftly. After xyz3va reported the issue to cofounder Hursh Agrawal and demonstrated it, the researcher was added to the company Slack within minutes. The bug was fixed the following day.
The company’s statement outlined the steps it is taking to prevent future issues, including launching a bug bounty program, moving away from Firebase, disabling custom JavaScript on synced Boosts, and expanding its security team.
