Arc browser's unique feature exposed users to potential cyberattacks
The Arc browser, developed by the Browser Company, has been identified as having a significant security flaw. This vulnerability was discovered in its unique "Boosts" feature, which allows users to personalize websites. The issue could have potentially allowed cybercriminals to exploit this feature and compromise user systems. The discovery was made public by a security researcher known as "xyzeva."
How the 'Boosts' feature was exploited
The Arc browser uses Firebase, a "database-as-a-backend service," to support several features including "Boosts." The security flaw was found in how the browser uses a creator's identification (creatorID) to load Boosts on a device. Xyzeva demonstrated that an attacker could alter this element to match their target's identification tag, and assign that target Boosts they had created.
Potential for malware distribution through Arc browser
The security flaw in the Arc browser could have been exploited to distribute malware. If a cybercriminal created a Boost containing malicious content, they could change their creatorID to match that of their intended victim. The victim would then unknowingly download the hacker's malware when visiting the website on Arc. Xyzeva also highlighted that obtaining user IDs for the browser was relatively easy, further increasing this risk.
Browser Company's response to the security flaw
The Browser Company was alerted about the security issue on August 25 by xyzeva, and promptly issued a fix the following day with the researcher's assistance. The company assured users that no one had exploited this vulnerability and no user was affected. In response to this incident, several new security measures have been implemented including moving away from Firebase, disabling Javascript on synced Boosts by default, launching a bug bounty program, and hiring a new senior security engineer.
