Critical Arc Browser Vulnerability Let Attackers Execute Remote Code

Arc’s Boosts feature lets users customize websites with CSS and JavaScript. While JavaScript Boosts are not shareable to protect security, they are synced across devices for personal use.

Misconfigured Firebase ACLs enabled unauthorized users to modify the creatorID of Boosts, allowing them to activate Boosts intended for other users and execute arbitrary code on websites where those Boosts were active.

An analysis of Firebase access logs revealed no unauthorized creatorID changes among Arc members, indicating the vulnerability did not compromise their accounts.

By collaborating with the vendor to patch ACLs, they mitigated a critical vulnerability, verified the fix, submitted it for a CVE, and offered a bounty to the researcher despite lacking a formal bug bounty program.

Free Webinar on How to Protect Small Businesses Against Advanced Cyberthreats -> Free Registration

They are committed to enhancing the response and disclosure processes for security vulnerabilities, especially after encountering the first significant vulnerability in Arc, which catalyzes to improve our practices and ensure a more robust security posture.

They have rectified the issue of accidental website leakage during Boost editor navigation by preventing such requests from being logged and ensuring they only occur when the editor is open. 

This is in accordance with the privacy policy and rectifies a security flaw that should not have been present in the product. 

JavaScript is now disabled by default on synced Boosts, and any Boosts created on other devices with custom JavaScript will need to be manually enabled to continue functioning.

They are disabling Boosts for the entire organization through MDM configuration and transitioning away from Firebase for new features and products to address ACL-related issues.

By conducting an urgent, more thorough audit of the existing Firebase Access Control Lists (ACLs), they identify potential security loopholes in addition to the regular external security audits every six months. 

Despite this, they are still planning to migrate away from Firebase for all future features and develop a security bulletin to inform the users about vulnerabilities, provide effective mitigation strategies, and transparently disclose the scope of affected individuals. 

They hope to keep the same clarity and comprehensiveness in their communications, which they have been inspired to do by Tailscale’s outstanding security reporting.

They are also enhancing the bounty program by defining specific reward amounts for different severity levels and expanding the security team with a new senior security engineer, which will strengthen the overall security posture.

By including security mitigations in client release notes, even though they were server-side fixes, they will ensure that members get timely information about updates to Arc through the primary channel they use.

Analyse AnySuspicious Links Using ANY.RUN's New Safe Browsing Tool: Try It for Free