The Arc browser, a product of The Browser Company, recently faced a security vulnerability identified as CVE-2024-45489. The flaw, discovered on August 25, 2024, was swiftly remedied within a day to ensure the safety of Arc users.
Hursh, the Chief Technology Officer and co-founder of The Browser Company, disclosed that the vulnerability in the Arc browser was attributed to a misconfiguration in the Firebase Access Control Lists (ACLs) designed to safeguard user data. This misconfiguration could have potentially allowed for remote code execution on users’ devices, enabling unauthorized individuals to manipulate website functionalities using customized scripts and styles. Fortunately, the company confirmed that no malicious actors exploited this vulnerability, except for the security researcher who initially reported it.
The timeline of events surrounding the Arc browser vulnerability reveals a quick response from The Browser Company. Upon discovering the vulnerability on August 25, the issue was promptly patched the following day, August 26, with the fix distributed to all users. Despite the severity of the security incident, no users were adversely affected. An examination of Firebase access logs indicated that the only alterations to creator IDs of custom “Boosts” were carried out by the reporting researcher.
The vulnerability in the Arc browser stemmed from a misconfiguration in Access Control Lists (ACLs) governing unauthorized changes to Boost creator IDs. This flaw could have empowered users to execute their custom scripts on other users’ devices, posing a security risk.
To mitigate the vulnerability, The Browser Company implemented several key strategies. They conducted an external audit of existing Firebase ACLs to identify vulnerabilities, disabled custom JavaScript in synced Boosts by default, and planned to move away from Firebase for new features to minimize future ACL-related risks. Additionally, a new communication channel was established to inform users about security vulnerabilities, mitigation strategies, affected parties, and the company initiated a bug bounty program while hiring a new senior security engineer.
Looking ahead, The Browser Company aims to enhance its security practices and communication with users to bolster its security framework. By consistently improving protocols and response mechanisms, the company endeavors to underscore its commitment to safeguarding users. Users of the Arc browser need not take any action as the vulnerability has been effectively resolved.
In conclusion, The Browser Company’s swift response to the Arc browser vulnerability demonstrates their dedication to security and user protection. By learning from this incident and reinforcing their security posture, the company endeavors to instill confidence in users regarding their commitment to security.