Tuesday, January 21, 2025

Arc browser launches bug bounty program after fixing RCE bug


The Browser Firm has launched an Arc Bug Bounty Program to encourage safety researchers to report vulnerabilities to the undertaking and obtain rewards.

This growth is available in response to a vital distant code execution flaw, tracked as CVE-2024-45489, that might have enabled menace actors to launch mass-scale assaults in opposition to customers of this system.

The flaw allowed attackers to take advantage of how Arc makes use of Firebase for authentication and database administration to execute arbitrary code on a goal’s browser.

A researcher discovered what they describe as a “catastrophic” flaw within the “Boosts” (user-created customizations) function that permits customers to make use of JavaScript to change a web site when it’s visited.

The researcher discovered that they may trigger malicious JavaScript code to run in different customers’ browsers just by altering a Boosts’ creator ID to a different individual’s ID. When that Arc Browser consumer visited the positioning, it will launch the malicious code created by an attacker.

Though the flaw was current on the browser for fairly some time, it was promptly addressed on August 26, 2024, a day after the researcher responsibly disclosed it to the Arc workforce, for which they had been awarded $2,000.

Arc Bug Bounty Program

The bug bounty program introduced by the Browser Firm covers Arc on macOS and Home windows and Arc Search on the iOS platform.

The set payouts will be summarized within the following 4 most important classes, relying on the severity of the found flaws:

  • Vital: Full system entry or exploits with important influence (e.g., no consumer interplay required). Reward: $10,000 – $20,000
  • Excessive: Severe points compromising session integrity, exposing delicate knowledge, or enabling system takeover (together with sure browser extension exploits). Reward: $2,500 – $10,000
  • Medium: Vulnerabilities affecting a number of tabs, restricted session/knowledge influence, or partial entry to delicate data (could require consumer interplay). Reward: $500 – $2,500
  • Low: Minor points needing important consumer interplay or restricted in scope (e.g., insecure defaults, hard-to-exploit bugs). Reward: As much as $500

Extra particulars about Arc’s Bounty Program are accessible right here.

Relating to CVE-2024-45489, the Arc workforce notes in its newest announcement that auto-syncing of Boosts with JavaScript has been disabled, and a toggle to show off all Enhance-related options has been added on Arc 1.61.2, the most recent model launched on September 26.

Additionally, an audit performed by an exterior auditing skilled is underway and can cowl Arc’s backed techniques.

A brand new MDM configuration choice to disable Boosts for complete organizations will probably be launched within the coming weeks.

The Browser Firm says new coding tips with an elevated give attention to auditing and reviewing are actually crafted, its incident response course of is being revamped for higher effectiveness, and new safety workforce members will probably be welcomed aboard quickly.

Launched a bit of over a yr in the past, Arc rapidly gained reputation because of its progressive consumer interface design, customization choices, uBlock Origin integration, and speedy efficiency. Risk actors even used the browser’s reputation to push malware to Home windows customers.

Related Articles

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest Articles

PHP Code Snippets Powered By : XYZScripts.com