Arc Browser - Access Anyones Browsers

Recently, I took a look at the Arc browser, a relatively new browser that has gained popularity for its innovative features and user interface. While exploring its functionality, I discovered a critical vulnerability that could have allowed attackers to execute arbitrary JavaScript code in users' browsers. This vulnerability stemmed from Arc's reliance on Firestore, a cloud-based NoSQL database provided by Google Firebase.

Developers often favour Firestore for its ease of use and real-time capabilities. It allows clients, like web or mobile applications, to interact directly with the database, eliminating the need for a traditional backend server. However, this convenience comes with security considerations. Firestore can expose sensitive data and functionality to unauthorized access if not properly configured.

In Arc's case, Firestore was used to store various types of data, including user preferences, application settings, and a feature called "Boosts." Boosts are essentially user-created customizations that allow modification of website appearance and behaviour through CSS and JavaScript injections. While this feature offers flexibility and personalization, it became the crux of the vulnerability.

The Vulnerability: Exploiting Boosts and Firestore Security Rules

My boredom led to the revelation that Arc's Firestore security rules were insufficiently restrictive. Specifically, they failed to prevent unauthorized modification of the creatorID field associated with a boost. This field identifies the user who created the boost.

An attacker could exploit this weakness by creating a malicious boost containing arbitrary JavaScript code and then changing its creatorID to that of a target user. When the target user visited the website associated with the boost, the malicious code would be executed within their browser context. This could allow the attacker to steal cookies, session tokens, sensitive user input, or even take complete control of the user's browser session.

The Attack Chain: Obtaining User IDs and Executing Malicious Code

To carry out this attack, an attacker would first need to obtain the target user's ID. Unfortunately, Arc inadvertently exposed user IDs through various channels, such as user referral links and shared boosts. This made it relatively easy for an attacker to identify and target specific individuals.

Once the attacker had the target's user ID, they could proceed to create a malicious boost and modify its creatorID. The next time the victim visited the targeted website, the malicious code embedded in the boost would be executed, compromising their browser session.

Impact and Remediation

This vulnerability had the potential for significant impact, as it could enable large-scale attacks against Arc users. An attacker could potentially inject malicious code into numerous browsers, leading to widespread data theft, privacy breaches, and even malware distribution.

Upon discovering this vulnerability, I was told that this had already been disclosed to the Arc development team. They promptly acknowledged the issue and took steps to remediate it. This included strengthening Firestore security rules, implementing measures to prevent user ID leakage, and enhancing their overall security posture.

Key Takeaways

This incident underscores the importance of robust security practices when developing applications that utilize cloud-based databases like Firestore. Developers must carefully consider the security implications of their design choices and implement appropriate security measures to protect user data and prevent unauthorized access.

It also highlights the crucial role of security researchers in identifying and reporting vulnerabilities. Responsible disclosure allows developers to address security flaws before they can be exploited by malicious actors, ensuring the safety and privacy of users.

While Arc has addressed this specific vulnerability, it serves as a valuable reminder that ongoing security assessments and vigilance are essential in the ever-evolving landscape of web technologies.