A catastrophic browser flaw is patched almost immediately - here's how

Last month, a security researcher discovered a pretty nasty bug in the Arc browser. The bug was centered around firestore, a database-as-a-backend that enables developers to not worry about writing a backend for their apps. The researcher -- known as xyz3va -- knew that firestore does not always abide by system proxy settings, so they set out to write a script to exploit this vulnerability.

It worked.

Also: Arc browser creator believes it's time to move on from Chrome - and I agree

According to xyz3va, Arc stores some of its preferences  -- including "boosts" -- in firestone. These Arc browser boosts enable users to customize websites by blocking elements, changing fonts and colors, and even using custom CSS and JavaScript.

The boosts feature allowed xyz3va to arbitrarily change the creatorID field to any user. All a hacker then would have to do is find a user's ID and create a full attack chain for that user. Those IDs can be discovered via user referrals, published boosts, and user easles, making it easy for someone with malicious intent to access a user ID.

Sounds fairly menacing, right? Catastrophic is the right word.

However, The Browser Company -- creators of Arc -- did something usually associated with open-source software -- they patched the vulnerability almost immediately. xyz3va reported the bug to company co-founder Hursh Agrawal and -- by the next day -- the vulnerability was patched and the update sent to browsers. 

The next day.

Also: 5 ways Arc browser makes browsing the web fun again

Typically, when a vulnerability is discovered in proprietary software, the fix can take time. Not only does the company have to vet the vulnerability, come up with a fix, and apply the fix, but that fix has to go through what can often be a convoluted process involving those who have nothing to do with development. That kind of red tape can slow down the process of patching vulnerabilities.

Over the years, I've watched companies take weeks (even months) to patch serious vulnerabilities; yet here we have The Browser Company proving that it can be done quickly and without complications.

That's how you do it!

That's also how you win over new users; you show them how serious you are about their privacy and security by listening to others and patching issues as quickly as possible.

Also: Arc's 'Air Traffic Control' is a great way to keep your browser organized

This vulnerability could have been an unmitigated disaster for The Browser Company but they handled it to perfection. I've been using Arc Browser on MacOS for nearly a year and this instance serves to bolster my respect for the browser and the company behind it.

If you want to learn more about the CVE-2024-45489 Incident, check out the official report from The Browser Company.