Media

• E-Commerce
• Investing
• Marketing and Advertising
• News and Media
• Business Services

Popular tags

• the
• to
• market
• united
• states
• united states
• states united
• llp
• announces
• global
• of
• stock
• earnings
• business
• stocks
• in
• call
• report
• data
• results

Keywords

2024-09-21 15:30:53| Engadget

One of the feature that separates the Arc browser from its competitors is the ability to customize websites. The feature called "Boosts" allows users to change a website's background color, switch to a font they like or one that makes it easier for them to read and even remove an unwanted elements from the page completely. Their alterations aren't supposed to be be visible to anyone else, but they can share them across devices. Now, Arc's creator, the Browser Company, has admitted that a security researcher found a serious flaw that would've allowed attackers to use Boosts to compromise their targets' systems.  The company used Firebase, which the security researcher known as "xyzeva" described as a "database-as-a-backend service" in their post about the vulnerability, to support several Arc features. For Boosts, in particular, it's used to share and sync customizations across devices. In xyzeva's post, they showed how the browser relies on a creator's identification (creatorID) to load Boosts on a device. They also shared how someone could change that element to their target's identification tag and assign that target Boosts that they had created.  If a bad actor makes a Boost with a malicious payload, for instance, they can just change their creatorID to the creatorID of their intended target. When the intended victim then visits the website on Arc, they could unknowingly download the hacker's malware. And as the researcher explained, it's pretty easy to get user IDs for the browser. A user who refer someone to Arc will share their ID to the recipient, and if they also created an account from a referral, the person who sent it will also get their ID. Users can also share their Boosts with others, and Arc has a page with public Boosts that contain the creatorIDs of the people who made them.  In its post, the Browser Company said xyzeva notified it about the security issue on August 25 and that it issued a fix a day later with the researcher's help. It also assured users that nobody got to exploit the vulnerability, no user was affected. The company has also implemented several security measures to prevent a similar situation, including moving off Firebase, disabling Javascript on synced Boosts by default, establishing a bug bounty program and hiring a new senior security engineer.This article originally appeared on Engadget at https://www.engadget.com/cybersecurity/the-arc-browser-that-lets-you-customize-websites-had-a-serious-vulnerability-133053134.html?src=rss

Category: Marketing and Advertising

Latest from this category

09.12 Letterboxd Video Store's first film rentals will be available this week 09.12 Congress removes right to repair language from 2026 defense bill 08.12 Katsuhiro Harada is leaving Bandai Namco after 30 years 08.12 An AI copycat of King Gizzard & the Lizard Wizard went unnoticed on Spotify for weeks 08.12 Google and Apple partner on better Android-iPhone switching 08.12 TikTok announces shared feed and collections features 08.12 How to watch Rivian's Autonomy and AI day and what to expect 08.12 Meta will let Facebook and Instagram users in the EU share less data Marketing and Advertising »

All news

09.12 Can Nephrocares IPO prove a rewarding bet for long-term investors? 09.12 Market expects one more rate cut as inflation stays benign 09.12 ICICI Pru AMC IPO price band fixed at Rs 2,061-Rs 2,165, issue opens Dec 12 09.12 'Living off grid is not a dream, it's a nightmare' 09.12 Sebi launches new verification agency to crack down on mis-selling 09.12 Is AI in recruitment a 'race to the bottom'? 09.12 Market breadth cracks deepen as ADR sinks to 10-month low 09.12 Indices see steepest fall since Sept 25 despite rate cut boost More »