Tech

Arc browser faces security flaw in customization feature boosts

The Browser Company swiftly addressed a serious security vulnerability in its Arc browser’s Boosts feature, which allows users to customize websites. Discovered by a researcher, the flaw could have let attackers compromise systems through manipulated creatorIDs.

By Khushi Jain
Image Credits - pc-tablet

Advertisement

The Arc browser, known for its innovative feature “Boosts,” which allows users to customize websites, recently acknowledged a serious security vulnerability. This flaw, discovered by a security researcher who goes by the name “xyzeva” could have enabled malicious actors to compromise users’ systems by exploiting the Boosts feature.

Boosts allow Arc users to personalize their web experience by changing a website’s background color, font style, and even removing unwanted elements from a page. These customizations are intended to be private, visible only to the user, although they can be shared across devices. However, the vulnerability arises from the way Boosts interact with the browser’s backend services. The Browser Company, which created Arc, utilized Firebase as a backend database for several features, including Boosts.

In the findings, it was explained that Arc depends on a unique identifier known as creatorID to load and synchronize Boosts. The researcher demonstrated that an attacker could manipulate this creatorID, allowing them to assign their malicious Boosts to a target’s identifier. If the target visited a website with the compromised Boost, they could inadvertently download malware.

Advertisement

This vulnerability’s potential impact is concerning, particularly given how easily users can share their creatorIDs. For instance, when one user refers another to Arc, their ID is shared. If the referred user creates an account, the original user gains access to their ID. Additionally, the public sharing of Boosts makes it even easier for attackers to target victims.

The Browser Company acted quickly, deploying a fix within a day, with the researcher’s assistance. Fortunately, the company confirmed that no users were affected by the vulnerability, and it has since implemented several measures to enhance security. These include moving away from Firebase, disabling JavaScript on synced Boosts by default, launching a bug bounty program, and hiring a senior security engineer to bolster their team.

 

 

You might also like More from author