One of the features that sets Arc browser apart from its competitors is the ability to customize websites. The feature called “Boosts” allows users to change the background color of a website, switch to a font they like or one that makes it easier for them to read, and even completely remove unwanted elements from the page. Their modifications are not supposed to be visible to anyone else, but they can share them across devices. Now, Arc’s creator, Browser Company, has accepted that a security researcher found a serious flaw that would have allowed attackers to use Boosts to compromise their targets' systems.
The company used Firebase, which the security researcher known as “xyzeva” described as a “database service as a backend” in its Vulnerability postto support various Arc features. In particular, for Boosts, it is used to share and sync customizations across devices. In xyzeva’s post, they showed how the browser relies on a creator’s ID (creatorID) to load Boosts onto a device. They also shared how someone could change that to their target’s ID tag and assign the Boosts they had created to that target.
If a malicious actor creates a Boost with a malicious payload, for example, they can simply swap their creator ID with the creator ID of their intended target. When the intended victim visits the website on Arc, they could unwittingly download the hacker’s malware. And as the researcher explained, it’s fairly easy to obtain user IDs for the browser. A user who refers someone to Arc will share their ID with the recipient, and if they also created an account from a referral, the person who sent them will also get their ID. Users can also share their Boosts with others, and Arc has a page with public Boosts containing the creator IDs of the people who created them.
In its post, the browser company said that it was notified of the security issue by xyzeva on August 25 and that it issued a fix a day later with the help of the researcher. It also assured users that no one was able to exploit the vulnerability and that no users were affected. The company has also implemented several security measures to prevent a similar situation, including removing Firebase, disabling Javascript in Sync Boosts by default, establishing a bug bounty program, and hiring a new senior security engineer.
