Back in late August, The Browser Company – the company behind the popular Mac browser Arc, became aware of a serious security vulnerability in the browser, one that could allow for remote code execution on other users computer with no direct interaction. They patched it promptly once being alerted to it, and the details of the vulnerability were disclosed last week.
Update Sept 28th: After only one week, The Browser Company has finished addressing a bunch of their security shortcomings. Josh Miller, CEO of The Browser Company, posted a tweet on Friday, outlining all of the changes they’ve made. This includes their promised bug bounty program, their new security bulletin, as well as other internal changes related to security procedures.
Additionally, they’ve increased xyz3va’s bounty payout from $2K USD to $20K USD, and the CEO personally offered them a job if they were interested. Original story below:
The Incident
The Browser Company confirmed that the vulnerability did not affect any users, and you don’t need to update Arc to stay protected. The company stated that this was the “first serious security incident in Arc’s lifetime.”
Security researcher xyz3va reported it privately to Arc, and you can read their full writeup on the issue if you’d like. In essence, Arc has a feature called Boost, which allowed users to customize websites with their own CSS and JavaScript. Arc knew that sharing custom JavaScript could be risky, so they never officially allowed users to share Boosts that included custom JavaScript. However, this exploit found a loophole in that system.
Essentially, Arc still saved custom boosts with JavaScript to their server, which allowed them to sync across devices. Arc used Firebase as the backend for certain features, but their misconfigured Firebase setup allowed users to change the creatorID of a boost after its creation.
This is an issue because if you were able to obtain another users ID, you could change the ID associated with the boost, and then that boost would sync to that users computer. Not great.
There were a number of ways you could obtain someone else’s user ID, including:
Getting their referral, which would contain their user ID
Checking if they published any boosts, which would also have their user ID
Looking at someones shared easel (essentially a whiteboard), where you can also get their user ID
Once again, it’s worth emphasizing that this exploit was never actually taken advantage of. It could’ve been pretty bad however, and The Browser Company is still taking steps to alleviate issues in the future.
How they’re addressing it
From now on, JavaScript will be disabled on synced Boosts by default, preventing similar attacks from happening in the future. You’ll have to explicitly enable the custom JavaScript on other devices moving forward.
Additionally, they plan on moving off of Firebase for new features and products, and they’ll also be adding security mitigations to Arc’s release notes, establishing additional transparency.
They also plan on hiring more people for the security team, and recently hired a new security engineer.
The researcher who reported this issue received a $2000 security bounty, something that The Browser Company hasn’t traditionally done. However, going forward, they want to have a clearer process surrounding bounties.
Follow Michael: X/Twitter, Threads, Instagram
FTC: We use income earning auto affiliate links. More.
GIPHY App Key not set. Please check settings