Arc browser launches bug bounty program after fixing RCE bug

Arc browser launches bug bounty program after fixing RCE bug
Arc browser launches bug bounty program after fixing RCE bug


The Browser Firm has launched an Arc Bug Bounty Program to encourage safety researchers to report vulnerabilities to the venture and obtain rewards.

This growth is available in response to a vital distant code execution flaw, tracked as CVE-2024-45489, that might have enabled menace actors to launch mass-scale assaults towards customers of this system.

The flaw allowed attackers to use how Arc makes use of Firebase for authentication and database administration to execute arbitrary code on a goal’s browser.

A researcher found what they describe as a “catastrophic” flaw within the “Boosts” (user-created customizations) characteristic that permits customers to make use of JavaScript to change an internet site when it’s visited.

The researcher discovered that they may trigger malicious JavaScript code to run in different customers’ browsers just by altering a Boosts’ creator ID to a different individual’s ID. When that Arc Browser consumer visited the location, it might launch the malicious code created by an attacker.

Though the flaw was current on the browser for fairly some time, it was promptly addressed on August 26, 2024, a day after the researcher responsibly disclosed it to the Arc staff, for which they have been awarded $2,000.

Arc Bug Bounty Program

The bug bounty program announced by the Browser Company covers Arc on macOS and Home windows and Arc Search on the iOS platform.

The set payouts will be summarized within the following 4 predominant classes, relying on the severity of the found flaws:

  • Vital: Full system entry or exploits with important influence (e.g., no consumer interplay required). Reward: $10,000 – $20,000
  • Excessive: Critical points compromising session integrity, exposing delicate information, or enabling system takeover (together with sure browser extension exploits). Reward: $2,500 – $10,000
  • Medium: Vulnerabilities affecting a number of tabs, restricted session/information influence, or partial entry to delicate information (could require consumer interplay). Reward: $500 – $2,500
  • Low: Minor points needing important consumer interplay or restricted in scope (e.g., insecure defaults, hard-to-exploit bugs). Reward: As much as $500

Extra particulars about Arc’s Bounty Program are available here.

Relating to CVE-2024-45489, the Arc staff notes in its newest announcement that auto-syncing of Boosts with JavaScript has been disabled, and a toggle to show off all Enhance-related options has been added on Arc 1.61.2, the most recent model launched on September 26.

Additionally, an audit performed by an exterior auditing knowledgeable is underway and can cowl Arc’s backed programs.

A brand new MDM configuration choice to disable Boosts for whole organizations can be launched within the coming weeks.

The Browser Firm says new coding tips with an elevated deal with auditing and reviewing are actually crafted, its incident response course of is being revamped for higher effectiveness, and new safety staff members can be welcomed aboard quickly.

Launched a bit over a yr in the past, Arc shortly gained recognition due to its modern consumer interface design, customization choices, uBlock Origin integration, and speedy efficiency. Menace actors even used the browser’s recognition to push malware to Home windows customers.

Leave a Reply

Your email address will not be published. Required fields are marked *