A security researcher recently uncovered a dangerous flaw in the Arc Browser, which had the potential to compromise users’ privacy and browser security. The flaw allowed remote code execution, meaning a hacker could run malicious code on a user’s browser without their knowledge. Thankfully, the issue was discovered and fixed before any users were affected.
Arc Browser
Arc is a free web browser created by The Browser Company, founded by Josh Miller and Hursh Agrawal.
It was officially released on July 25, 2023, after a beta test. Arc is available on macOS, iOS, and Windows. It’s built using Chromium and allows Chrome extensions.
Notably, it includes unique features like a scrapbook-style “easel” and “boosts,” which let users customise websites.
Arc aims to be more than just a browser, offering an integrated, creative experience. While critics praise its innovative approach, some believe it could still use refinement
A Critical Security Flaw
The security vulnerability was found in Arc Browser’s “Boost” feature, which lets users apply custom CSS and JavaScript to websites.
Each boost was linked to a specific User ID for security. However, a researcher who goes by “xyzeva” discovered a flaw in the system.
By tweaking the boost’s User ID, she was able to assign malicious code to other users. This allowed her to take control of their browsers without them visiting any specific website.
In a harmless demonstration, she created a boost that made a popup saying “arf awrf!” whenever her target visited Google. While this test was innocent, it highlighted the potential for far more dangerous attacks.
Quick Action Taken
The researcher, a professional pentester, responsibly reported the bug to Arc, earning a $2,000 reward.
Arc’s development team swiftly addressed the issue, ensuring that no users were harmed by the exploit.
In their blog post, Arc confirmed that the flaw has been fixed and that only the researcher identified it.
GIPHY App Key not set. Please check settings