Back in late August, The Browser Company – the company behind the popular Mac browser Arc, became aware of a serious security vulnerability in the browser, one that could allow for remote code execution on other users computer with no direct interaction. They patched it promptly once being alerted to it, and the details of the vulnerability were disclosed a few days ago.
The Incident
According to The Browser Company, no users were affected by the vulnerability, and you shouldn’t have to update Arc in order to be protected. The company stated that this was the “first serious security incident in Arc’s lifetime.”
Security researcher xyz3va reported it privately to Arc, and you can read their full writeup on the issue if you’d like. In essence, Arc has a feature called Boost, which allowed users to customize websites with their own CSS and JavaScript. Arc knew that sharing custom JavaScript could be risky, so they never officially allowed users to share Boosts that included custom JavaScript. However, this exploit found a loophole in that system.
Essentially, Arc still saved custom boosts with JavaScript to their server, which allowed them to sync across devices. Arc also used Firebase as the backend of certain Arc features, and their Firebase setup was misconfigured, allowing users to change the creatorID of a boost after it was created.
This is an issue because if you were able to obtain another users ID, you could change the ID associated with the boost, and then that boost would sync to that users computer. Not great.
There were a number of ways you could obtain someone else’s user ID, including:
- Getting their referral, which would contain their user ID
- Checking if they published any boosts, which would also have their user ID
- Looking at someones shared easel (essentially a whiteboard), where you can also get their user ID
Once again, it’s worth emphasizing that this exploit was never actually taken advantage of. It could’ve been pretty bad however, and The Browser Company is still taking steps to alleviate issues in the future.
How they’re addressing it
From now on, JavaScript will be disabled on synced Boosts by default, preventing similar attacks from happening in the future. You’ll have to explicitly enable the custom JavaScript on other devices moving forward.
Additionally, they plan on moving off of Firebase for new features and products, and they’ll also be adding security mitigations to Arc’s release notes, establishing additional transparency.
They also plan on hiring more people for the security team, and recently hired a new security engineer.
The researcher who reported this issue received a $2000 security bounty, something that The Browser Company hasn’t traditionally done. However, going forward, they want to have a clearer process surrounding bounties.
Follow Michael: X/Twitter, Threads
Add 9to5Mac to your Google News feed.
FTC: We use income earning auto affiliate links. More.