Article Details
Scrape Timestamp (UTC): 2024-10-01 22:33:56.085
Original Article Text
Click to Toggle View
Arc browser launches bug bounty program after fixing RCE bug. The Browser Company has introduced an Arc Bug Bounty Program to encourage security researchers to report vulnerabilities to the project and receive rewards. This development comes in response to a critical remote code execution flaw, tracked as CVE-2024-45489, that could have enabled threat actors to launch mass-scale attacks against users of the program. The flaw allowed attackers to exploit how Arc uses Firebase for authentication and database management to execute arbitrary code on a target's browser. A researcher found what they describe as a "catastrophic" flaw in the "Boosts" (user-created customizations) feature that allows users to use JavaScript to modify a website when it is visited. The researcher found that they could cause malicious JavaScript code to run in other users' browsers simply by changing a Boosts' creator ID to another person's ID. When that Arc Browser user visited the site, it would launch the malicious code created by an attacker. Although the flaw was present on the browser for quite a while, it was promptly addressed on August 26, 2024, a day after the researcher responsibly disclosed it to the Arc team, for which they were awarded $2,000. Arc Bug Bounty Program The bug bounty program announced by the Browser Company covers Arc on macOS and Windows and Arc Search on the iOS platform. The set payouts can be summarized in the following four main categories, depending on the severity of the discovered flaws: More details about Arc's Bounty Program are available here. Regarding CVE-2024-45489, the Arc team notes in its latest announcement that auto-syncing of Boosts with JavaScript has been disabled, and a toggle to turn off all Boost-related features has been added on Arc 1.61.2, the latest version released on September 26. Also, an audit conducted by an external auditing expert is underway and will cover Arc's backed systems. A new MDM configuration option to disable Boosts for entire organizations will be released in the coming weeks. The Browser Company says new coding guidelines with an elevated focus on auditing and reviewing are now crafted, its incident response process is being revamped for better effectiveness, and new security team members will be welcomed aboard soon. Launched a little over a year ago, Arc quickly gained popularity thanks to its innovative user interface design, customization options, uBlock Origin integration, and speedy performance. Threat actors even used the browser's popularity to push malware to Windows users.
Daily Brief Summary
Arc has launched a Bug Bounty Program to enhance security by rewarding reported vulnerabilities.
This follows the discovery of a severe remote code execution bug, CVE-2024-45489, which allowed the execution of arbitrary code via modified user customizations.
The flaw was exploited through the "Boosts" feature, enabling malicious JavaScript execution across user sessions.
The vulnerability was promptly remedied following its disclosure on August 25, 2024, with the researcher receiving a $2,000 reward.
The bounty program extends to Arc on macOS, Windows, and Arc Search on iOS, with rewards varying based on the severity of the vulnerabilities.
Version 1.61.2 of Arc has disabled auto-syncing of Boosts, added a toggle for disabling related features, and is undergoing an external audit.
Enhanced security measures include new coding guidelines, improvements to the incident response process, and the hiring of additional security personnel.
Despite its recent introduction, Arc browser has rapidly gained users due to features like effective design, customization options, and integrated ad blocker.