Researcher reveals ‘catastrophic’ security flaw in the Arc browser

Arc has a feature called Boosts that allows you to customize any website with custom CSS and Javascript. Since running arbitrary Javascript on websites has potential security concerns, we opted not to make Boosts with custom Javascript shareable across members, but we still synced them to our server so that your own Boosts are available across devices.

We use Firebase as the backend for certain Arc features (more on this below), and use it to persist Boosts for both sharing and syncing across devices. Unfortunately our Firebase ACLs (Access Control Lists, the way Firebase secures endpoints) were misconfigured, which allowed users Firebase requests to change the creatorID of a Boost after it had been created. This allowed any Boost to be assigned to any user (provided you had their userID), and thus activate it for them, leading to custom CSS or JS running on the website the boost was active on.

Source link

Denial of responsibility! NewsConcerns is an automatic aggregator of the all world’s media. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials, please contact us by email – [email protected]. The content will be deleted within 24 hours.

Researcher reveals ‘catastrophic’ security flaw in the Arc browser

Leave a Comment Cancel reply

COVID-19

Woman shot by B.C. police was Colombian refugee with young daughter, advocate says

ENTERTAINMENT

The Fate of Pretty Little Liars Reboot Revealed After 2 Seasons

BUSINESS

Mars brings Marathon name back in UK as nostalgia rises for retro sweets | Food & drink industry

SCIENCE

Light momentum turns pure silicon from an indirect to a direct bandgap semiconductor

LIFESTYLE

WA records highest population growth, as Australia hits 27 million milestone