Head Topics

The Arc browser that lets you customize websites had a serious vulnerability

Arc News

The Arc browser that lets you customize websites had a serious vulnerability
United States Latest News,United States Headlines
  • 📰 engadget
  • ⏱ Reading Time:
  • 52 sec. here
  • 2 min. at publisher
  • 📊 Quality Score:
  • News: 24%
  • Publisher: 63%

Mariella Moon has been a night editor for Engadget since 2013, covering everything from consumer technology and video games to strange little robots that could operate on the human body from the inside one day. She has a special affinity for space, its technologies and its mysteries, though, and has interviewed astronauts for Engadget.

One of the feature that separates the Arc browser from its competitors is the ability to customize websites. The feature called "" allows users to change a website's background color, switch to a font they like or one that makes it easier for them to read and even remove an unwanted elements from the page completely. Their alterations aren't supposed to be be visible to anyone else, but they can share them across devices.

The company used Firebase, which the security researcher known as "xyzeva" described as a "database-as-a-backend service" in their, to support several Arc features. For Boosts, in particular, it's used to share and sync customizations across devices. In xyzeva's post, they showed how the browser relies on a creator's identification to load Boosts on a device.

If a bad actor makes a Boost with a malicious payload, for instance, they can just change their creatorID to the creatorID of their intended target. When the intended victim then visits the website on Arc, they could unknowingly download the hacker's malware. And as the researcher explained, it's pretty easy to get user IDs for the browser.

In its post, the Browser Company said xyzeva notified it about the security issue on August 25 and that it issued a fix a day later with the researcher's help. It also assured users that nobody got to exploit the vulnerability, no user was affected.

We have summarized this news so that you can read it quickly. If you are interested in the news, you can read the full text here. Read more:

engadget /  🏆 276. in US

United States Latest News, United States Headlines

Similar News:You can also read news stories similar to this one that we have collected from other news sources.

Baz Luhrmann's Next Movie Announced As A Historical Biopic After The Success Of ElvisBaz Luhrmann's Next Movie Announced As A Historical Biopic After The Success Of ElvisJoan of Arc in the The Passion of Joan of Arc
Read more »

This startup wants to be the iTunes of AI content licensingThis startup wants to be the iTunes of AI content licensingPranav is a senior editor at Engadget responsible for handling news coverage during west coast hours.
Read more »

Apple halts iPadOS 18 update for M4 iPad Pro after bricking reportsApple halts iPadOS 18 update for M4 iPad Pro after bricking reportsPranav is a senior editor at Engadget responsible for handling news coverage during west coast hours.
Read more »

OpenAI's new safety board has more power and no Sam AltmanOpenAI's new safety board has more power and no Sam AltmanPranav is a senior editor at Engadget responsible for handling news coverage during west coast hours.
Read more »

The best horror games to play in 2024The best horror games to play in 2024A collaboration between various members of the Engadget editorial team.
Read more »

The US, UK, EU and other major nations have signed a landmark global AI treatyThe US, UK, EU and other major nations have signed a landmark global AI treatyPranav is a senior editor at Engadget responsible for handling news coverage during west coast hours.
Read more »



Render Time: 2025-02-21 12:17:51