September 20, 2024

Arc Browser Vulnerability CVE-2024-45489

Eva, on kibty.town:

this would be the final attack chain: obtain the user id of the victim via one of the mentioned methods create a malicious boost with whatever payload you want on your own account update the boost creatorID field to the targets whenever the victim visits the targeted website, they will get compromised

Make no mistake. This was bad. Still, I think The Browser Company response was quick and sincere:

Hursh here, CTO and Cofounder of The Browser Company. We want to let all Arc users know that a security vulnerability existed in Arc prior to 8/25/24. We were made aware of a vulnerability on 8/25, it was fixed on 8/26. This issue allowed the possibility of remote code execution on users’ computers. We’ve patched the vulnerability immediately, already rolled out the fix, and verified that no one outside of the security researcher who discovered the bug has exploited it. This means no members were affected by this vulnerability, and you do not need to take any action to be protected.

Back to Eva’s post:

the browser company normally does not do bug bounties (update: see at the end of post), but for this catastrophic of a vuln, they decided to award me with $2,000 USD

Overall, while the incident was scary, no one was affected. I trust Arc’s team response and attitude will make the most of this as a learning opportunity, and it will make the browser (and related services) better in the end. Still my default browser.


snippets