One of the features that sets Arc Browser apart from its competitors is the ability to customize websites. feature called “Strengthens” allows users to change a website’s background color, switch to a font they like or find easier to read, and even remove unwanted elements from a page entirely. Their changes shouldn’t be visible to anyone else. , but the Browser Company, the creator of Arc, can share them across devices accepted a security researcher said he found a serious flaw that could allow attackers to use Boosters to take over their targets’ systems.
The company used Firebase, which a security researcher known as “xyzeva” described as a “database-backend service”. essay on vulnerabilityto support multiple Arc functions. Specifically for Boosts, it is used to share and sync customizations between devices. In Xyzeva’s post, they show how the browser relies on the creator ID (creatorID) to download Boosts on a device. They also shared how someone could change that item to their target’s ID tag and set the target Boosters they created.
If a bad actor, for example, Boosts with a malicious payload, they can simply change their creatorID to the creatorID of their intended target. When an intended victim visits a website on Arc, they may unknowingly download the hacker’s malware. As the researcher explained, it is quite easy for the browser to obtain user IDs. A user who refers someone to Arc will share their ID with the recipient, and if they created an account from the referral, the sender will also receive the ID. Users can also share their Powers with others, and Arc has a page with public Powers that includes the creator IDs of the people who created them.
In its post, the browser company said it notified xyzeva of the security issue on August 25 and issued a fix a day later with the help of a researcher. It also assured users that no one can exploit the vulnerability, no user is affected. The company has also implemented a number of security measures to prevent a similar situation, including deprecating Firebase, disabling Javascript by default in synced Boosters, creating a buggy rewards program, and hiring a new chief security engineer.