A security researcher has uncovered a severe vulnerability in the Arc browser that could have enabled attackers to execute arbitrary code within other users' browsing sessions. The flaw, patched on August 26th, stemmed from a misconfiguration in the browser's use of Firebase for storing user data, including custom website customizations known as 'Boosts'. The researcher, xyz3va, disclosed the vulnerability and The Browser Company confirmed the issue and stated that their logs show no evidence of user exploitation.
A security researcher revealed a “catastrophic” vulnerability in the Arc browser that would have allowed attackers to insert arbitrary code into other users’ browser sessions with little more than an easily findable user ID. The vulnerability was patched on August 26th and disclosed today in a blog post by security researcher xyz3va, as well as a statement from The Browser Company. The company says that its logs indicate no users were affected by the flaw.
Unfortunately our Firebase ACLs were misconfigured, which allowed users Firebase requests to change the creatorID of a Boost after it had been created. This allowed any Boost to be assigned to any user , and thus activate it for them, leading to custom CSS or JS running on the website the boost was active on.
Arc Browser Vulnerability Code Injection Firebase Security Patch
United States Latest News, United States Headlines
Similar News:You can also read news stories similar to this one that we have collected from other news sources.
Arc Search browser will soon land on AndroidTsveta, a passionate technology enthusiast and accomplished playwright, combines her love for mobile technologies and writing to explore and reveal the transformative power of tech.
Read more »
Researcher reveals ‘catastrophic’ security flaw in the Arc browserCVE-2024-45489 was patched in late August but would have allowed attackers to upload arbitrary code to victims with just a user ID.
Read more »
Baz Luhrmann's Next Movie Announced As A Historical Biopic After The Success Of ElvisJoan of Arc in the The Passion of Joan of Arc
Read more »
Google Chrome Deadline—You Have 72 Hours To Update Your BrowserZak Doffman has covered security, surveillance and privacy on Forbes since 2018. His focus includes the latest updates from the world’s largest tech companies, staying safe on smartphones and social media, and the dangers of AI.
Read more »
Google Debuts New Chrome Browser Security Features To Block ThreatsDavey Winder is a technology journalist who covers cybersecurity news and research. He’s covered everything from the true story behind the hacking of Donald Trump’s nude photos to a record-breaking ransomware payment of $75 million.
Read more »
Google Chrome Deadline—You Have 72 Hours To Update Your BrowserZak Doffman has covered security, surveillance and privacy on Forbes since 2018. His focus includes the latest updates from the world’s largest tech companies, staying safe on smartphones and social media, and the dangers of AI.
Read more »