Cyber Security News

Critical Arc Browser Vulnerability Let Attackers Execute Remote Code

Arc’s Boosts feature lets users customize websites with CSS and JavaScript. While JavaScript Boosts are not shareable to protect security, they are synced across devices for personal use.

Misconfigured Firebase ACLs enabled unauthorized users to modify the creatorID of Boosts, allowing them to activate Boosts intended for other users and execute arbitrary code on websites where those Boosts were active.

An analysis of Firebase access logs revealed no unauthorized creatorID changes among Arc members, indicating the vulnerability did not compromise their accounts.

By collaborating with the vendor to patch ACLs, they mitigated a critical vulnerability, verified the fix, submitted it for a CVE, and offered a bounty to the researcher despite lacking a formal bug bounty program.

Free Webinar on How to Protect Small Businesses Against Advanced Cyberthreats -> Free Registration

They are committed to enhancing the response and disclosure processes for security vulnerabilities, especially after encountering the first significant vulnerability in Arc, which catalyzes to improve our practices and ensure a more robust security posture.

They have rectified the issue of accidental website leakage during Boost editor navigation by preventing such requests from being logged and ensuring they only occur when the editor is open. 

This is in accordance with the privacy policy and rectifies a security flaw that should not have been present in the product. 

JavaScript is now disabled by default on synced Boosts, and any Boosts created on other devices with custom JavaScript will need to be manually enabled to continue functioning.

They are disabling Boosts for the entire organization through MDM configuration and transitioning away from Firebase for new features and products to address ACL-related issues.

By conducting an urgent, more thorough audit of the existing Firebase Access Control Lists (ACLs), they identify potential security loopholes in addition to the regular external security audits every six months. 

Despite this, they are still planning to migrate away from Firebase for all future features and develop a security bulletin to inform the users about vulnerabilities, provide effective mitigation strategies, and transparently disclose the scope of affected individuals. 

They hope to keep the same clarity and comprehensiveness in their communications, which they have been inspired to do by Tailscale’s outstanding security reporting.

They are also enhancing the bounty program by defining specific reward amounts for different severity levels and expanding the security team with a new senior security engineer, which will strengthen the overall security posture.

By including security mitigations in client release notes, even though they were server-side fixes, they will ensure that members get timely information about updates to Arc through the primary channel they use.

Analyse AnySuspicious Links Using ANY.RUN's New Safe Browsing Tool: Try It for Free

Aman Mishra

Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Recent Posts

Attackers Exploit Microsoft Entra Billing Roles to Escalate Privileges in Organizational Environments

A startling discovery by BeyondTrust researchers has unveiled a critical vulnerability in Microsoft Entra ID…

22 hours ago

Threat Actors Exploit Google Apps Script to Host Phishing Sites

The Cofense Phishing Defense Center has uncovered a highly strategic phishing campaign that leverages Google…

23 hours ago

Dadsec Hacker Group Uses Tycoon2FA Infrastructure to Steal Office365 Credentials

Cybersecurity researchers from Trustwave’s Threat Intelligence Team have uncovered a large-scale phishing campaign orchestrated by…

23 hours ago

Beware: Weaponized AI Tool Installers Infect Devices with Ransomware

Cisco Talos has uncovered a series of malicious threats masquerading as legitimate AI tool installers,…

24 hours ago

Pure Crypter Uses Multiple Evasion Methods to Bypass Windows 11 24H2 Security Features

Pure Crypter, a well-known malware-as-a-service (MaaS) loader, has been recognized as a crucial tool for…

24 hours ago

Attackers Exploit Microsoft Entra Billing Roles to Escalate Privileges

A recent discovery by security researchers at BeyondTrust has revealed a critical, yet by-design, security…

1 day ago