Catastrophic Security Flaw Exposed in Arc Browser's Boosts Feature

Understanding Arc's Boosts Feature

Arc has introduced a powerful feature called Boosts that grants users the capability to enhance any website by incorporating custom CSS and Javascript. This functionality empowers users to tailor their web experience according to personal preferences and needs. However, running arbitrary Javascript on websites can pose significant security concerns, which led to some important design decisions regarding Boosts.

Security Measures for Boosts

To mitigate security risks associated with sharing custom Javascript, Arc has implemented restrictions that prevent Boosts with custom Javascript from being shared across members. This proactive approach ensures that while users can customize their individual experiences, the potential for malicious code execution is minimized.

Synchronization Across Devices

Despite the limitations on sharing, Boosts are synced to our server, which makes your personal Boosts available across all devices. This synchronization relies on Firebase, a robust backend service that underpins various features of Arc.

Firebase Misconfiguration and Its Implications

Recently, a misconfiguration in our Firebase Access Control Lists (ACLs) created unforeseen vulnerabilities. ACLs play a critical role in securing endpoints within Firebase, ensuring that user permissions are properly enforced. However, due to misconfigured settings, it was possible for users to execute Firebase requests that altered the creatorID of an existing Boost after its creation.

Consequences of the Misconfiguration

• Boost Attribution Risks: Because users could assign any Boost to any user (assuming they had the relevant userID), this allowed unauthorized individuals to activate custom CSS or Javascript on websites where those Boosts were enabled. This capability highlighted a serious security concern, as it could lead to misuse or malicious alterations.
• User Trust Impact: Users trust Arc to provide a secure environment for customization. Any breach or misuse of Boosts could undermine that trust, making it imperative to address and rectify such vulnerabilities swiftly.

Steps Taken to Resolve Security Issues

In light of this vulnerability, steps are being taken to tighten security measures, including:

1. Review and Update ACL Configurations: A thorough examination and overhaul of Firebase ACLs are underway to ensure that they correctly enforce user permissions and prevent unauthorized adjustments to Boosts.
2. Strengthen Monitoring Mechanisms: Implementing better monitoring tools will help in tracking the usage of Boosts and detecting any suspicious activity that could indicate attempted exploits.
3. User Education: Providing informative resources to users about best practices for using Boosts safely and the importance of maintaining personal security while customizing their web experiences.

Conclusion

While Arc's Boosts feature enhances the user experience through customizable web functionalities, it also necessitates stringent security measures to protect users and their data. Ongoing efforts to rectify current vulnerabilities and enhance the overall security framework demonstrate Arc's commitment to providing a safe and flexible environment for customization.