Arc’s Boosts feature allows users to customize websites with custom CSS and JavaScript. While sharing Boosts with custom JavaScript was restricted due to security concerns, they were still synced across devices using Firebase.
Due to misconfigured Firebase ACLs, any user could change the creatorID of a Boost, effectively activating it for themselves and running custom CSS or JavaScript on the targeted website, which could potentially lead to malicious actions.
The security researcher discovered a vulnerability in the Firebase access logs that could have potentially allowed unauthorized individuals to modify creatorIDs.
A thorough analysis revealed that no Arc members were impacted by this issue by confirming that all creatorID changes were made by the security researcher themselves, and no unauthorized alterations were detected.
They collaborated with the vendor to address a critical vulnerability in Access Control Lists (ACLs) and after implementing the necessary patches, they verified the effectiveness of the fix with the vendor.
A CVE submission process was initiated, and a bounty was offered to the person who reported the vulnerability, which was done in recognition of the severity of the problem.
Although they haven’t established a formal bug bounty program, this incident underscores the importance of such initiatives in enhancing a secure digital ecosystem.
The recent security vulnerability in Arc involved the accidental leakage of a user’s current website URL when the Boost editor was open, which was due to a flaw in the product’s navigation system that logged these requests unnecessarily.
To prevent future occurrences, they have completely removed the logging of these requests and have implemented measures to ensure that the Boost editor does not inadvertently disclose sensitive user information.
They are also updating the Boost functionality to enhance security and reliability by disabling JavaScript for synced Boosts by default, requiring explicit enablement for Boosts with custom JavaScript.
To prevent unauthorized Boost usage, they are implementing MDM configuration to disable Boosts for the entire organization. Additionally, they are transitioning away from Firebase for new features and products to address potential ACL issues.
They implemented a comprehensive security overhaul due to identified vulnerabilities in the Firebase ACLs, which includes a detailed emergency audit, increased security team resources, and enhanced communication strategies.
By adopting a bounty program with clear severity-based rewards and incorporating security mitigations into the release notes, they ensure transparency and proactive risk management.
The objective is to keep the highest security standards, which is comparable to the approach taken by Tailscale, and to reduce the likelihood of potential risks before they become more severe.