Arc browser patches critical vulnerability allowing users to inject malicious javascript
Take action: ARC fixed the issue on their backend and you don't need to take action if using their browser. We can all learn that allowing users to inject code into a product and then intermixing the code or keeping it centrally is very very dangerous and a lot of costly testing is needed all the time. Otherwise you may find yourself hacked by user code you explicitly allowed on your platform. Consider whether you really want such a feature, and whether you have the bandwidth to secure it.
Learn More
A critical vulnerability was identified and addressed in the Arc browser, developed by The Browser Company.
The flaw is tracked as CVE-2024-45489 (CVSS score 9.8), is a remote code execution (RCE) vulnerability with the potential to allow attackers to inject arbitrary code into other users' browser sessions without any user interaction.
The vulnerability originated from a misconfiguration in Arc’s Firebase Access Control Lists (ACLs), which are responsible for securing the endpoints for various browser features, including the "Boosts" feature. Boosts allow users to customize websites using custom CSS and JavaScript. Although Arc took measures to prevent sharing Boosts containing custom JavaScript, they still synced these Boosts to their servers to facilitate cross-device functionality.
The flaw allowed malicious actors to modify the "creatorID" field of any Boost, essentially enabling them to assign custom Boosts to any user. By gaining access to a user’s unique ID, an attacker could push malicious JavaScript to a victim's browser session, executing arbitrary code without requiring the victim to visit a specific malicious site.
The issue was rooted in the incorrect configuration of Firebase ACLs, which permitted the modification of Boosts' creator IDs after they were created. This misconfiguration allowed attackers to exploit the "Boosts" feature to inject harmful code across user devices by simply knowing the victim's user ID.
The vulnerability was disclosed privately by the security researcher "xyz3va" on August 25, 2024, and a patch was released on August 26, 2024, following the private report. Hursh Agarwal, CTO and co-founder of The Browser Company, wrote in a post that no evidence of exploitation in the wild was found, apart from the controlled tests conducted by the researcher.
ARC claims that the issue is fixed on their backend services and no user interaction is necessary.
The company immediately rolled out several fixes, including:
- Disabling JavaScript on synced Boosts by default, requiring explicit activation.
- Implementing Mobile Device Management (MDM) configuration options to disable Boosts across organizations.
- Fixing privacy concerns regarding website information leakage during Boost editing.
- Transitioning away from Firebase for new features to prevent future ACL-related issues.
- Conducting an audit of existing Firebase ACLs and bolstering the security team by hiring a new senior security engineer.
Additionally, they addressed a related privacy concern wherein website visit data was unintentionally sent to their servers when the Boost feature was active, a breach of their privacy policy. The company committed to resolving this issue in the v1.61.1 update.
