Sunday, December 8, 2024
HomeBug BountyCritical Arc Browser Vulnerability Let Attackers Execute Remote Code

Critical Arc Browser Vulnerability Let Attackers Execute Remote Code

Published on

SIEM as a Service

Arc’s Boosts feature lets users customize websites with CSS and JavaScript. While JavaScript Boosts are not shareable to protect security, they are synced across devices for personal use.

Misconfigured Firebase ACLs enabled unauthorized users to modify the creatorID of Boosts, allowing them to activate Boosts intended for other users and execute arbitrary code on websites where those Boosts were active.

An analysis of Firebase access logs revealed no unauthorized creatorID changes among Arc members, indicating the vulnerability did not compromise their accounts.

- Advertisement - SIEM as a Service

By collaborating with the vendor to patch ACLs, they mitigated a critical vulnerability, verified the fix, submitted it for a CVE, and offered a bounty to the researcher despite lacking a formal bug bounty program.

Free Webinar on How to Protect Small Businesses Against Advanced Cyberthreats -> Free Registration

They are committed to enhancing the response and disclosure processes for security vulnerabilities, especially after encountering the first significant vulnerability in Arc, which catalyzes to improve our practices and ensure a more robust security posture.

They have rectified the issue of accidental website leakage during Boost editor navigation by preventing such requests from being logged and ensuring they only occur when the editor is open. 

This is in accordance with the privacy policy and rectifies a security flaw that should not have been present in the product. 

JavaScript is now disabled by default on synced Boosts, and any Boosts created on other devices with custom JavaScript will need to be manually enabled to continue functioning.

They are disabling Boosts for the entire organization through MDM configuration and transitioning away from Firebase for new features and products to address ACL-related issues.

By conducting an urgent, more thorough audit of the existing Firebase Access Control Lists (ACLs), they identify potential security loopholes in addition to the regular external security audits every six months. 

Despite this, they are still planning to migrate away from Firebase for all future features and develop a security bulletin to inform the users about vulnerabilities, provide effective mitigation strategies, and transparently disclose the scope of affected individuals. 

They hope to keep the same clarity and comprehensiveness in their communications, which they have been inspired to do by Tailscale’s outstanding security reporting.

They are also enhancing the bounty program by defining specific reward amounts for different severity levels and expanding the security team with a new senior security engineer, which will strengthen the overall security posture.

By including security mitigations in client release notes, even though they were server-side fixes, they will ensure that members get timely information about updates to Arc through the primary channel they use.

Analyse AnySuspicious Links Using ANY.RUN's New Safe Browsing Tool: Try It for Free

Latest articles

DaMAgeCard Attack – New SD Card Attack Lets Hackers Directly Access System Memory

Security researchers have identified a significant vulnerability dubbed "DaMAgeCard Attack" in the new SD...

Deloitte Denies Breach, Claims Only Single System Affected

Ransomware group Brain Cipher claimed to have breached Deloitte UK and threatened to publish...

Top Five Industries Most Frequently Targeted by Phishing Attacks

Researchers analyzed phishing attacks from Q3 2023 to Q3 2024 and identified the top...

Russian BlueAlpha APT Exploits Cloudflare Tunnels to Distribute Custom Malware

BlueAlpha, a Russian state-sponsored group, is actively targeting Ukrainian individuals and organizations by using...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

DaMAgeCard Attack – New SD Card Attack Lets Hackers Directly Access System Memory

Security researchers have identified a significant vulnerability dubbed "DaMAgeCard Attack" in the new SD...

Deloitte Denies Breach, Claims Only Single System Affected

Ransomware group Brain Cipher claimed to have breached Deloitte UK and threatened to publish...

Top Five Industries Most Frequently Targeted by Phishing Attacks

Researchers analyzed phishing attacks from Q3 2023 to Q3 2024 and identified the top...