Xorte logo

News Markets Groups

USA | Europe | Asia | World| Stocks | Commodities


Add a new RSS channel

 
 


Keywords
The Arc browser that lets you customize websites had a serious vulnerability

2024-09-21 15:30:53| Engadget

One of the feature that separates the Arc browser from its competitors is the ability to customize websites. The feature called "Boosts" allows users to change a website's background color, switch to a font they like or one that makes it easier for them to read and even remove an unwanted elements from the page completely. Their alterations aren't supposed to be be visible to anyone else, but they can share them across devices. Now, Arc's creator, the Browser Company, has admitted that a security researcher found a serious flaw that would've allowed attackers to use Boosts to compromise their targets' systems.  The company used Firebase, which the security researcher known as "xyzeva" described as a "database-as-a-backend service" in their post about the vulnerability, to support several Arc features. For Boosts, in particular, it's used to share and sync customizations across devices. In xyzeva's post, they showed how the browser relies on a creator's identification (creatorID) to load Boosts on a device. They also shared how someone could change that element to their target's identification tag and assign that target Boosts that they had created.  If a bad actor makes a Boost with a malicious payload, for instance, they can just change their creatorID to the creatorID of their intended target. When the intended victim then visits the website on Arc, they could unknowingly download the hacker's malware. And as the researcher explained, it's pretty easy to get user IDs for the browser. A user who refer someone to Arc will share their ID to the recipient, and if they also created an account from a referral, the person who sent it will also get their ID. Users can also share their Boosts with others, and Arc has a page with public Boosts that contain the creatorIDs of the people who made them.  In its post, the Browser Company said xyzeva notified it about the security issue on August 25 and that it issued a fix a day later with the researcher's help. It also assured users that nobody got to exploit the vulnerability, no user was affected. The company has also implemented several security measures to prevent a similar situation, including moving off Firebase, disabling Javascript on synced Boosts by default, establishing a bug bounty program and hiring a new senior security engineer.This article originally appeared on Engadget at https://www.engadget.com/cybersecurity/the-arc-browser-that-lets-you-customize-websites-had-a-serious-vulnerability-133053134.html?src=rss


Category: Marketing and Advertising

 

Latest from this category
02.02McDonalds wants its customers to know that bigmac is a terrible password
01.02Apex Legends won't be playable on Nintendo Switch after its next season
01.02Apple is already thinking about its second foldable iPhone, and it may be a clamshell
01.02Apple's online store now lets you build a new Mac exactly the way you want
01.02Indonesia is lifting its ban on Grok, but with some conditions
01.02How to replace your AirTag battery
31.01NVIDIA is still planning to make a 'huge' investment in OpenAI, CEO says
31.01Ayaneo's Pocket S Mini has the perfect aspect ratio for revisiting classic console games
Marketing and Advertising »

All news
02.02Monday Watch
02.02Gold and silver ETFs crash up to 20% as precious metals slump further. What should investors do now?
02.02Anant Raj, Netweb Tech, other data centre stocks surge up to 7%. Whats triggering the surge?
02.026 tech-infused items under $30 to keep you warm this winter
02.02ETMarkets Smart Talk | 1015% allocation to gold and silver is enough for portfolios: Sandeep Bagla
02.02Negative Breakout: These 13 stocks cross below their 200 DMAs
02.02Asian shares drop as gold plunge deepens, dollar gains
02.02Sharp hike in STT pulls Nifty and Sensex down by 2%; brokerages feel the heat
More »
Privacy policy . Copyright . Contact form .