Gaining Access to Anyone’s Arc Browser

xyzeva (via Hacker News):

firestore is a database-as-a-backend service that allows for developers to not care about writing a backend, and instead write database security rules and make users directly access the database.

this has of course sparked a lot of services having insecure or insufficient security rules and since researching that, i would like to call myself a firestore expert.

[…]

• arc boosts can contain arbitrary javascript
• arc boosts are stored in firestore
• the arc browser gets which boosts to use via the creatorID field
• we can arbitrarily change the creatorID field to any user id

thus, if we were to find a way to easily get someone elses user id, we would have a full attack chain

Hursh Agrawal:

We want to let all Arc users know that a security vulnerability existed in Arc prior to 8/25/24. We were made aware of a vulnerability on 8/25, it was fixed on 8/26. This issue allowed the possibility of remote code execution on users’ computers. We've patched the vulnerability immediately, already rolled out the fix, and verified that no one outside of the security researcher who discovered the bug has exploited it. This means no members were affected by this vulnerability, and you do not need to take any action to be protected.

bhaney:

There are a lot of major security vulnerabilities in the world that were made understandably, and can be forgiven if they’re handled responsibly and fixed.

This is not one of them. In my opinion, this shows a kind of reputation-ruining incompetency that would convince me to never use Arc ever again.

As I wrote before, I thought it was sketchy that they required an account, and it’s also a red flag that the CVE response blog post does not seem to actually be linked from their blog.

Previously:

• Arc Browser

Arc Browser Breach Bug Exploit Mac Mac App macOS 15 Sequoia Privacy Web

Comments RSS · Twitter · Mastodon

Leave a Comment

Name

E-mail (will not be published)

Web site

Δ