The Arc Browser has been on the up-and-up recently with its recent release on Windows. People have been checking the new browser out and gauging it against popular browsers such as Chrome. However, a researcher discovered a nasty flaw that allowed them to hijack other user's browsers, and while it's a particularly scary chain of attack, the flaw has been fixed long before you even clicked this article.

Arc fixes a nasty security flaw with its browser

As announced on the Arc blog, the company learned of the exploit via xyzeva, who dubs herself as an "(un)professional pentester." She may need to update her resumé soon, as she managed to score $2,000 from Arc by reporting an exploit within the browser.

Xyzeva found an exploit within Arc Boosts, which allowed people to run "custom CSS and Javascript" on any website. Of course, making such a feature public and sharable was ripe for abuse, so Arc assigned each boost to a User ID so only its designer could use it. These boosts were then saved to cloud storage so that the user could access them on any device.

Xyzeva dug into the Arc Boost feature and discovered that she could tweak a boost's User ID to anything she liked. To exploit this, she programmed a boost to run malicious arbitrary code whenever someone visited a popular website, then assigned a victim's User ID to the boost. She says she could easily get this User ID through various data scraping methods.

When the victim booted up Arc, the browser would fetch the malicious boost assigned to them by xyzeva and execute it whenever they visited the website she designated in the boost. This resulted in a nasty attack that allows her to, in her own words, "[gain] access to anyones browser without them even visiting a website." Xyzeva proved it with an Arc Boost that displayed a popup that said "arf awrf!" whenever her targeted victim visited Google - a harmless attack, but something that could easily evolve into something really sinister.

If you're on Arc, don't worry. Because xyzeva is a professional pentester, she reported the bug to Arc long before her blog post, and the issue has since been fixed. Arc stated that xyzeva was the only person to discover the flaw, meaning no members were affected by the malicious Arc Boost exploit. Still, if you have the browser, perhaps now's a good time to update it.