Cyber Security News

Critical Arc Browser Vulnerability Let Attackers Execute Remote Code

Arc’s Boosts feature lets users customize websites with CSS and JavaScript. While JavaScript Boosts are not shareable to protect security, they are synced across devices for personal use.

Misconfigured Firebase ACLs enabled unauthorized users to modify the creatorID of Boosts, allowing them to activate Boosts intended for other users and execute arbitrary code on websites where those Boosts were active.

An analysis of Firebase access logs revealed no unauthorized creatorID changes among Arc members, indicating the vulnerability did not compromise their accounts.

By collaborating with the vendor to patch ACLs, they mitigated a critical vulnerability, verified the fix, submitted it for a CVE, and offered a bounty to the researcher despite lacking a formal bug bounty program.

Free Webinar on How to Protect Small Businesses Against Advanced Cyberthreats -> Free Registration

They are committed to enhancing the response and disclosure processes for security vulnerabilities, especially after encountering the first significant vulnerability in Arc, which catalyzes to improve our practices and ensure a more robust security posture.

They have rectified the issue of accidental website leakage during Boost editor navigation by preventing such requests from being logged and ensuring they only occur when the editor is open. 

This is in accordance with the privacy policy and rectifies a security flaw that should not have been present in the product. 

JavaScript is now disabled by default on synced Boosts, and any Boosts created on other devices with custom JavaScript will need to be manually enabled to continue functioning.

They are disabling Boosts for the entire organization through MDM configuration and transitioning away from Firebase for new features and products to address ACL-related issues.

By conducting an urgent, more thorough audit of the existing Firebase Access Control Lists (ACLs), they identify potential security loopholes in addition to the regular external security audits every six months. 

Despite this, they are still planning to migrate away from Firebase for all future features and develop a security bulletin to inform the users about vulnerabilities, provide effective mitigation strategies, and transparently disclose the scope of affected individuals. 

They hope to keep the same clarity and comprehensiveness in their communications, which they have been inspired to do by Tailscale’s outstanding security reporting.

They are also enhancing the bounty program by defining specific reward amounts for different severity levels and expanding the security team with a new senior security engineer, which will strengthen the overall security posture.

By including security mitigations in client release notes, even though they were server-side fixes, they will ensure that members get timely information about updates to Arc through the primary channel they use.

Analyse AnySuspicious Links Using ANY.RUN's New Safe Browsing Tool: Try It for Free

Aman Mishra

Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Recent Posts

Lumma Stealer Upgraded with PowerShell Tools and Advanced Evasion Techniques

Sophos Managed Detection and Response (MDR) in September 2024, the notorious Lumma Stealer malware has…

3 hours ago

New Noodlophile Malware Spreads Through Fake AI Video Generation Platforms

Cybercriminals have unleashed a new malware campaign using fake AI video generation platforms as a…

3 hours ago

Kimsuky Hacker Group Deploys New Phishing Techniques and Malware Campaigns

The North Korean state-sponsored Advanced Persistent Threat (APT) group Kimsuky, also known as “Black Banshee,”…

3 hours ago

APT37 Hackers Use Weaponized LNK Files and Dropbox for Command-and-Control Operations

The North Korean state-sponsored hacking group APT37, also known as ScarCruft, launched a spear phishing…

3 hours ago

Open Source Linux Firewall IPFire 2.29 – Core Update 194 Released: What’s New!

IPFire, the powerful open-source firewall, has unveiled its latest release, IPFire 2.29 – Core Update…

7 hours ago

Threat Actors Leverage DDoS Attacks as Smokescreens for Data Theft

Distributed Denial of Service (DDoS) attacks, once seen as crude tools for disruption wielded by…

7 hours ago