# Analyzing the Recent Security Flaw in Arc Browser
In late August 2023, The Browser Company, the developers behind the cutting-edge Mac browser Arc, identified a critical security flaw that could allow remote code execution on users’ devices without any direct engagement. This flaw, designated CVE-2024-45489, was swiftly mitigated by the company, which has since shared the specifics of the occurrence.
## The Event
The Browser Company stated that no users fell victim to this vulnerability, and there is no need for users to upgrade Arc to maintain their safety. They described this event as the “first major security incident in Arc’s history.” The vulnerability was first brought to light privately by the security researcher [xyz3va](https://x.com/xyz3va), who offered an in-depth analysis of the situation.
Central to the vulnerability was a feature within Arc named Boost, enabling users to personalize websites with their own CSS and JavaScript. Although Arc had implemented measures to prevent the official sharing of Boosts containing custom JavaScript, the vulnerability exploited a gap in this protocol.
Arc kept custom Boosts with JavaScript on their servers to allow synchronization across different devices. Unfortunately, a configuration error in their Firebase backend permitted users to change the creator ID of a Boost after it had been established. This imperfection meant that if a malicious individual acquired another user’s ID, they could modify the ID linked with a Boost, potentially leading to harmful code being synchronized onto the victim’s device.
### Methods of User ID Acquisition
There were various ways through which an attacker could discover another user’s ID, such as:
– Accessing a user’s referral link, which contained their user ID.
– Investigating if the user had shared any Boosts, which also disclosed their user ID.
– Looking at a shared easel (an interactive whiteboard feature), where the user ID could be displayed.
While the exploit was serious, it is vital to emphasize that it was never acted upon in real-world scenarios. The Browser Company is now proactively undertaking measures to avert similar vulnerabilities from arising in the future.
## Their Approach to Resolution
In reaction to the incident, The Browser Company is instituting several significant modifications:
1. **Disabling JavaScript by Default**: Going forward, JavaScript will be switched off by default on synced Boosts. Users will have to explicitly activate custom JavaScript on their devices, substantially decreasing the possibility of analogous attacks.
2. **Transitioning Away from Firebase**: The company intends to discontinue the use of Firebase for future features and products, in search of more secure backend alternatives.
3. **Improving Security Transparency**: Arc will incorporate security mitigations in its release notes to promote greater transparency concerning security practices and updates.
4. **Enhancing the Security Team**: The Browser Company aims to grow its security team, having already recruited a new security engineer to strengthen their initiatives.
5. **Launching a Security Bounty Program**: The researcher who brought the vulnerability to attention received a $2000 security bounty, signifying a shift in the company’s stance on security rewards. The Browser Company intends to develop a clearer avenue for bounty submissions in the future.
## Final Thoughts
The recent security flaw in Arc Browser serves as an essential reminder of the necessity for strong security protocols in software development. The Browser Company has acted decisively to rectify the issue and is dedicated to improving security standards to safeguard its users. As the digital landscape keeps evolving, continuous vigilance and proactive strategies will be crucial in protecting user data and preserving confidence in technology.
For further details about the incident and the company’s response, you can check out the [complete write-up by xyz3va](https://kibty.town/blog/arc/) and keep an eye on updates from The Browser Company.
