Security Researcher Uncovers Major Bug in Arc Browser’s Boost Feature

Key Takeaways

• A security researcher has discovered a serious flaw in the Arc browser that could have put users at risk. 

• The issue, identified as CVE-2024-45489, was found in Arc's Boost feature, which allows users to customize websites.

• Thankfully, the vulnerability was patched on August 26, and no users were harmed.

The researcher, known as “xyz3va” on X, revealed this critical flaw, which could have allowed attackers to sneak malicious code into a user’s browser. Imagine visiting your favorite website and unknowingly giving someone else control over your browser—that’s how dangerous this bug was.

The problem came from a misconfiguration in Arc’s connection to Firebase, a backend service supported by Google. It was a hidden risk that could have easily gone unnoticed, but thanks to xyz3va’s keen eye, the issue was caught just in time. On August 25, while tinkering with the Boost feature, she found that by manipulating user IDs, an attacker could inject harmful code. If a victim visited a specific website, the attacker could take control of their browser session without their knowledge.

Arc quickly responded, patching the vulnerability the next day. They made significant improvements to their security, such as disabling JavaScript on synced Boosts and moving away from Firebase for future features. To ensure nothing like this happens again, they even launched an external audit of their system and promised regular security checks every six months.

This was the first major bug Arc had encountered, and instead of brushing it off, they’ve used it as a wake-up call. The company is now committed to tightening its security measures and improving how it handles these situations. They’ve even enhanced their bug bounty program, offering researchers like xyz3va $2,000 for discovering this vulnerability.

While this incident could have been disastrous, Arc handled it with transparency and quick action. It’s a reminder that even the most advanced tools can have flaws, but what matters is how they’re fixed and the lessons learned. With these new improvements, Arc is determined to make sure something like this doesn’t happen again, keeping their users safe and secure.