Arc Browser which allows you to customize websites is highly vulnerable
One of the features that sets Arc Browser apart from its competitors is the ability to customize websites. A feature called “Boosts” allows users to change the background color of the website, switch to a font they like or one that makes it easier for them to read and even remove unwanted content from the page altogether. Their changes should not be visible to anyone else, but they can share them across devices. Now, Arc’s creator, The Browser Company, has admitted that a security researcher has discovered a critical flaw that would allow attackers to use Boost to compromise their target systems.
The company used Firebase, which a security researcher known as “xyzeva” described as a “database service-as-backend” in his post about the vulnerability, to support several features of Arc. In Boost, in particular, it is used to share and synchronize customizations across devices. In xyzeva’s post, they showed how the browser relies on the creator’s identity (creator ID) to load Boosts on the device. They also share how someone can change that element in their target identifier and give the target Boosts they created.
If a bad actor does a Boost with a malicious upload, for example, they can simply change their creatorID to the creatorID of their target. When the intended victim then visits a website on Arc, they can unknowingly download the attacker’s malware. And as the researcher explained, it is very easy to find the IDs of the browser users. A user who refers someone to Arc will share their ID with the recipient, and if they also create an account through the referral, the referrer will also receive their ID. Users can also share their Boosts with others, and Arc has a Public Boosts page that contains the creator IDs that people have created.
In its post, the browser company said it notified xyzeva of the security issue on August 25 and that it fixed it a day later with the help of a researcher. It also assured users that no one should exploit the vulnerability, no user is affected. The company also implemented several security measures to prevent a similar situation, including moving away from Firebase, disabling Javascript in auto-synced Boosts, establishing a bug bounty program and hiring a new security engineer.
Source link