Arc browser launches bug bounty program after fixing RCE bug

The Browser Firm has launched an Arc Bug Bounty Program to encourage safety researchers to report vulnerabilities to the undertaking and obtain rewards.

This growth is available in response to a vital distant code execution flaw, tracked as CVE-2024-45489, that would have enabled menace actors to launch mass-scale assaults in opposition to customers of this system.

The flaw allowed attackers to use how Arc makes use of Firebase for authentication and database administration to execute arbitrary code on a goal’s browser.

A researcher discovered what they describe as a “catastrophic” flaw within the “Boosts” (user-created customizations) characteristic that permits customers to make use of JavaScript to change an internet site when it’s visited.

The researcher discovered that they may trigger malicious JavaScript code to run in different customers’ browsers just by altering a Boosts’ creator ID to a different individual’s ID. When that Arc Browser person visited the location, it might launch the malicious code created by an attacker.

Though the flaw was current on the browser for fairly some time, it was promptly addressed on August 26, 2024, a day after the researcher responsibly disclosed it to the Arc group, for which they had been awarded $2,000.

Arc Bug Bounty Program

The bug bounty program introduced by the Browser Firm covers Arc on macOS and Home windows and Arc Search on the iOS platform.

The set payouts might be summarized within the following 4 essential classes, relying on the severity of the found flaws:

  • Crucial: Full system entry or exploits with important influence (e.g., no person interplay required). Reward: $10,000 – $20,000
  • Excessive: Critical points compromising session integrity, exposing delicate information, or enabling system takeover (together with sure browser extension exploits). Reward: $2,500 – $10,000
  • Medium: Vulnerabilities affecting a number of tabs, restricted session/information influence, or partial entry to delicate information (could require person interplay). Reward: $500 – $2,500
  • Low: Minor points needing important person interplay or restricted in scope (e.g., insecure defaults, hard-to-exploit bugs). Reward: As much as $500

Extra particulars about Arc’s Bounty Program are accessible right here.

Concerning CVE-2024-45489, the Arc group notes in its newest announcement that auto-syncing of Boosts with JavaScript has been disabled, and a toggle to show off all Enhance-related options has been added on Arc 1.61.2, the most recent model launched on September 26.

Additionally, an audit carried out by an exterior auditing knowledgeable is underway and can cowl Arc’s backed programs.

A brand new MDM configuration choice to disable Boosts for whole organizations might be launched within the coming weeks.

The Browser Firm says new coding pointers with an elevated deal with auditing and reviewing at the moment are crafted, its incident response course of is being revamped for higher effectiveness, and new safety group members might be welcomed aboard quickly.

Launched slightly over a yr in the past, Arc shortly gained reputation due to its progressive person interface design, customization choices, uBlock Origin integration, and speedy efficiency. Risk actors even used the browser’s reputation to push malware to Home windows customers.

Recent articles