Arc Browser Experienced its First Major Security Vulnerability

The Browser Company reported this past weekend that its flagship Arc web browser had its first-ever serious security incident back in August. The good news is that no customers were impacted, and the company addressed the underlying issue within 24 hours.

“This is the first serious security incident in Arc’s lifetime,” The Browser Company co-founder and CTO Hursh Agrawal writes. “Despite the low impact, we’re taking this moment to upgrade everything from our internal security reviews, to our bug bounty program, to our communications with Arc members on such incidents.”

Security researchers at xyz3va privately alerted the small company to a vulnerability it found tied to the browser’s Boosts functionality that allowed remote code execution. It then continued to do the right thing by allowing The Browser Company to resolve the issue and ensure that no users were impacted before publishing its findings.

According to the researchers, a misconfiguration of the Firebase backend used by Arc allowed its Boosts feature–which lets users modify web pages they’re viewing in real time, similar to the recently introduced Distraction Control feature in Apple Safari in macOS Sequoia–to be run under any user context for which a hacker had the ID. This could allow them to create and run custom JavaScript code.

The Browser Company worked with xyz3va to patch its access control lists (ACLs) and ensure the vulnerability was closed. It’s currently creating a bug bounty program to reward those who report this kind of issue, but it awarded a bounty to xyz3va for its work.

“This was the first vulnerability of this scale that we’ve seen in Arc, and we really want to use this as an opportunity to improve how we respond to and disclose security vulnerabilities,” Hursh explains. “In terms of this specific issue, we are making a number of changes to avoid this moving forward and to improve our communication around security vulnerabilities.”

Those changes are a mix of technical updates to the browser’s Boosts functionality and structural corporate changes to help ensure this type of thing won’t happen again. Arc is moving off Firebase, for example, bolstering its security team, and improving its security review processes. This all seems very credible, but The Browser Company is tiny, as is Arc’s usage share, so the potential impact here is minor regardless.

Still, it’s nice to see the quick turnaround and transparent messaging. There are more than a few Big Tech firms that could learn a thing or two from this response.