Get AI summaries of any video or article — Sign up free
Arc Security Allows Access To Anyone's Browser thumbnail

Arc Security Allows Access To Anyone's Browser

The PrimeTime·
5 min read

Based on The PrimeTime's video on YouTube. If you like this content, support the original creators by watching, liking and subscribing to their content.

TL;DR

Arc boosts are stored with a Creator ID and loaded based on that identifier, so weak access control around Creator ID enables cross-user boost injection.

Briefing

Arc Security’s browser was found to allow attackers to hijack other users’ browser customizations (“Arc boosts”) by exploiting how Arc uses Firebase for authentication and how boost data is stored and retrieved. The core issue centers on Firebase security rules and access control: boosts are stored with a “Creator ID,” and that identifier can be manipulated so that a victim’s browser ends up loading a boost created under a different account. If an attacker can obtain a victim’s Creator ID, they can update a boost document to point at that victim, effectively forcing the victim to receive attacker-controlled JavaScript and settings when the victim visits targeted sites.

The investigation begins with Arc requiring an account and using Firebase for authentication. While probing network behavior, the researcher notices that boost-related sharing and viewing doesn’t show up in expected proxy traffic, leading to deeper inspection of how Arc retrieves and applies boosts. The work leans on “Firestore” (Firebase’s database) and its security model, where developers rely on rules to control what queries clients can run. The researcher then uses a “Freda script” (JavaScript with Objective-C bindings) to intercept Objective-C calls and log Firestore queries, revealing that Arc boost retrieval is driven by Creator ID.

A proof-of-concept demonstrates that boosts can be created and then modified so that the Creator ID field points to another user. When the victim visits a site like google.com, the victim receives the attacker’s boost changes—despite the boost being created from the attacker’s account. The attack chain becomes complete once the attacker can learn the victim’s Creator ID. The transcript points to multiple plausible ways to obtain it: Arc user referral data (where referrals can expose user identifiers), Arc’s public boost-sharing surfaces (including boost snapshots), and Arc’s “Easel” feature (whiteboards that can be shared and viewed on the web, potentially leaking identifiers).

Because Arc boosts can contain arbitrary JavaScript and are applied based on Creator ID, the impact is more than cosmetic. The researcher frames this as full arbitrary cross-site scripting in privileged contexts, with potential escalation paths. There’s also mention that boosts may execute for other protocols or settings pages, even when boosts can’t be created directly in the client for those targets—expanding the blast radius.

Arc’s response is described as fast and structured. After initial encrypted contact and a proof-of-concept, details were disclosed and the issue was patched. A CVE was assigned, and a bug bounty payout followed—initially $2,000, later increased to $20,000 after further confirmation. Arc also published a write-up and outlined mitigations: adding client-side controls to disable boosts for users who don’t use them, auditing Firebase ACL rules internally, addressing privacy concerns raised during research, and moving off Firebase for new features and products. An external security audit and a broader bug bounty program were also mentioned as part of the remediation plan.

Cornell Notes

Arc boosts—user-customizable page modifications in the Arc browser—are stored in Firebase/Firestore with a “Creator ID.” A researcher found that Creator ID can be manipulated so boosts created by one account can be made to load for another account’s browser. Once an attacker can obtain a victim’s Creator ID (via referrals, public boost surfaces, or shared Easel boards), they can update a boost document to target the victim. Because boosts can contain arbitrary JavaScript, the result is effectively attacker-controlled script execution in the victim’s browser on targeted sites. Arc responded with a patch, a CVE, and a bug bounty that increased to $20,000, alongside plans to audit Firebase rules and move off Firebase for new features.

What is the mechanism that lets one user’s Arc boosts appear in another user’s browser?

Arc boosts are stored with a Creator ID field. The researcher intercepted Firestore queries and found Arc retrieves which boost to apply based on Creator ID. By updating the Creator ID in the stored boost document to match a different user, the victim’s browser ends up requesting and applying the attacker-controlled boost when visiting the targeted site.

Why does the Creator ID matter so much for security?

Creator ID acts like an access-control key for which boost content Arc loads. If that identifier is not properly protected by Firebase security rules (or if the client can write/query in a way that bypasses intended restrictions), an attacker can redirect boost ownership. The transcript emphasizes that the attack becomes “full” once the attacker can reliably obtain the victim’s Creator ID.

How could an attacker obtain a victim’s Creator ID?

The transcript lists several routes: Arc referral data can expose identifiers in a user’s referrals table; Arc has public surfaces for boosts and boost snapshots; and Arc’s Easel feature (shared whiteboards viewable on the web) may also leak user identifiers. Any method that yields the victim’s Creator ID enables the final step of retargeting boosts.

What makes the impact more serious than normal cross-site scripting?

Arc boosts can contain arbitrary JavaScript, and they’re applied based on Creator ID when a user visits sites. That means the attacker isn’t just injecting into a single page context—they’re leveraging a browser feature that loads attacker-provided code tied to user-specific identifiers, potentially in privileged contexts and with escalation opportunities mentioned in the transcript.

What remediation steps did Arc outline after the issue was reported?

Arc described patching the vulnerability, assigning a CVE, and publishing a write-up. Mitigations included adding features to disable boosts in the client for users who don’t use boosts, auditing Firebase ACL rules internally, addressing privacy concerns raised during research, and moving off Firebase for new features/products. The transcript also mentions an external security audit and expansion of bug bounty efforts.

Review Questions

  1. How does manipulating the Creator ID field change which boost content Arc loads for a user?
  2. What information must an attacker obtain to complete the attack chain, and what transcript-listed sources could provide it?
  3. Why does allowing arbitrary JavaScript inside boosts raise the severity of an access-control flaw?

Key Points

  1. 1

    Arc boosts are stored with a Creator ID and loaded based on that identifier, so weak access control around Creator ID enables cross-user boost injection.

  2. 2

    A proof-of-concept showed that updating a boost document’s Creator ID can cause a victim’s browser to apply attacker-controlled boost changes on targeted sites.

  3. 3

    The attack becomes practical if an attacker can obtain a victim’s Creator ID, with the transcript pointing to referrals, public boost surfaces, and shared Easel boards as possible sources.

  4. 4

    Because boosts can contain arbitrary JavaScript, the vulnerability can function as full attacker-controlled script execution rather than a limited UI tweak.

  5. 5

    Arc issued a patch and CVE, and the bug bounty payout increased to $20,000 after further confirmation.

  6. 6

    Arc’s remediation plan included auditing Firebase ACL rules, adding client-side controls to disable boosts for non-users, addressing privacy concerns, and moving off Firebase for new features/products.

  7. 7

    Arc also pursued external security review and broader bug bounty coverage to reduce the chance of similar issues recurring.

Highlights

The vulnerability hinges on Creator ID: retargeting that field lets one account’s boosts load in another account’s browser.
Arc boosts can include arbitrary JavaScript, turning an identifier/ACL flaw into a potentially severe code-execution problem.
The attack chain depends on obtaining the victim’s Creator ID—via referrals, public boost snapshots, or shared Easel boards.
Arc’s response included a rapid patch, CVE assignment, and a bug bounty that rose from $2,000 to $20,000, plus Firebase rule audits and a move away from Firebase for new features.

Topics

  • Arc Boosts
  • Firebase Firestore
  • Creator ID
  • Arbitrary JavaScript
  • Bug Bounty Response

Mentioned

Get summaries like this for any content

Videos, articles, research papers — all summarized by AI and searchable in one place.

Start building your library