- by theverge
- 21 Sep 2024
Researcher reveals ‘catastrophic’ security flaw in the Arc browser
A security researcher revealed a “catastrophic” vulnerability in the Arc browser that would have allowed attackers to insert arbitrary code into other users’ browser sessions with little more than an easily findable user ID. The vulnerability was patched on August 26th and disclosed today in a blog post by security researcher xyz3va, as well as a statement from The Browser Company. The company says that its logs indicate no users were affected by the flaw. The exploit, CVE-2024-45489, relied on a misconfiguration in The Browser Company’s implementation of Firebase, a “database-as-a-backend service,” for storage of user info, including Arc Boosts, a feature that lets users customize the appearance of websites they visit. In its
- by theverge
- 21 Sep 2024
- in technology
A security researcher revealed a "catastrophic" vulnerability in the Arc browser that would have allowed attackers to insert arbitrary code into other users' browser sessions with little more than an easily findable user ID. The vulnerability was patched on August 26th and disclosed today in a blog post by security researcher xyz3va, as well as a statement from The Browser Company. The company says that its logs indicate no users were affected by the flaw.
The exploit, CVE-2024-45489, relied on a misconfiguration in The Browser Company's implementation of Firebase, a "database-as-a-backend service," for storage of user info, including Arc Boosts, a feature that lets users customize the appearance of websites they visit.
In its statement, The Browser Company writes:
Arc has a feature called Boosts that allows you to customize any website with custom CSS and Javascript. Since running arbitrary Javascript on websites has potential security concerns, we opted not to make Boosts with custom Javascript shareable across members, but we still synced them to our server so that your own Boosts are available across devices.We use Firebase as the backend for certain Arc features (more on this below), and use it to persist Boosts for both sharing and syncing across devices. Unfortunately our Firebase ACLs (Access Control Lists, the way Firebase secures endpoints) were misconfigured, which allowed users Firebase requests to change the creatorID of a Boost after it had been created. This allowed any Boost to be assigned to any user (provided you had their userID), and thus activate it for them, leading to custom CSS or JS running on the website the boost was active on.
Or, in the words of xyz3va,
arc boosts can contain arbitrary javascriptarc boosts are stored in firestorethe arc browser gets which boosts to use via the creatorID fieldwe can arbitrarily change the creatorID field to any user id
You can get someone's creatorID in several ways, including referral links, shared easels, and publicly shared Boosts. With that info, an attacker could have created a boost with arbitrary code in it and added it to the victim's Arc account without any action on the victim's part. That's bad.
you may also like
- by theverge
- 21 Sep 2024
The best Garmin watches for training and everyday life
- by theverge
- 21 Sep 2024
Lotus Theory 1 is a high-powered electric sports car with haptics and robot textiles
travel
- by travelandtourworld
- descember 09, 2016
MGL Limo Unveils New Black Car Services to Elevate Luxury Travel in San Francisco
MGL Limo has broadened its transportation offerings in the San Francisco region by integrating black car limo services into its fleet. This addition aims to serve a wide array of client needs, including corporate engagements, special gatherings, and guided city tours, offering dependable and plush transport solutions for both local and visiting travelers.
read more