Pitch Deck Template
Startup Dubai Konnect

Researcher reveals ‘catastrophic’ security flaw in the Arc browser

, By The Verge
Researcher reveals ‘catastrophic’ security flaw in the Arc browser
Cyber Security

Share via:


Arc has a feature called Boosts that allows you to customize any website with custom CSS and Javascript. Since running arbitrary Javascript on websites has potential security concerns, we opted not to make Boosts with custom Javascript shareable across members, but we still synced them to our server so that your own Boosts are available across devices.

We use Firebase as the backend for certain Arc features (more on this below), and use it to persist Boosts for both sharing and syncing across devices. Unfortunately our Firebase ACLs (Access Control Lists, the way Firebase secures endpoints) were misconfigured, which allowed users Firebase requests to change the creatorID of a Boost after it had been created. This allowed any Boost to be assigned to any user (provided you had their userID), and thus activate it for them, leading to custom CSS or JS running on the website the boost was active on.



Source link

Disclaimer

We strive to uphold the highest ethical standards in all of our reporting and coverage. We StartupNews.fyi want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.

Previous News
Aethir partners with Filecoin to solve GPU shortage, boost AI
Next News
Moglix Infuses $50 Mn In Its Financing Arm Credlix
The Verge
The Verge

Popular

More Like this

Load more

Researcher reveals ‘catastrophic’ security flaw in the Arc browser

, By The Verge
Researcher reveals ‘catastrophic’ security flaw in the Arc browser
Cyber Security


Arc has a feature called Boosts that allows you to customize any website with custom CSS and Javascript. Since running arbitrary Javascript on websites has potential security concerns, we opted not to make Boosts with custom Javascript shareable across members, but we still synced them to our server so that your own Boosts are available across devices.

We use Firebase as the backend for certain Arc features (more on this below), and use it to persist Boosts for both sharing and syncing across devices. Unfortunately our Firebase ACLs (Access Control Lists, the way Firebase secures endpoints) were misconfigured, which allowed users Firebase requests to change the creatorID of a Boost after it had been created. This allowed any Boost to be assigned to any user (provided you had their userID), and thus activate it for them, leading to custom CSS or JS running on the website the boost was active on.



Source link

Disclaimer

We strive to uphold the highest ethical standards in all of our reporting and coverage. We StartupNews.fyi want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.

Website Upgradation is going on for any glitch kindly connect at office@startupnews.fyi

Previous News
Aethir partners with Filecoin to solve GPU shortage, boost AI
Next News
Moglix Infuses $50 Mn In Its Financing Arm Credlix
The Verge
The Verge

More like this

Bitcoin outperformed nearly every asset class in past year...

Blockchain Cointelegraph -
VanEck expects Bitcoin’s long-term bull market to continue,...

dbrand delivers the grippiest iPhone 16 case, ‘idiot-proof’ screen...

Tech 9to5mac -
“Definitely not a cult” dbrand has launched three...

The iPhone 16 launches today, without its most hyped...

Artificial Intelligence Techcrunch -
The iPhone 16 officially goes on sale Friday....
Load more

Popular

Upcoming Events

View all
Event Updates

Startup Information that matters. Get in your inbox Daily!

Subscribe

StartupNews.fyi

Subscribe

© 2024 StartupNews.fyi | DOTFYI Media Ventures Private Limited. All Rights Reserved.

StartupNews.fyi

StartupNews.fyi is India's leading news & Technology media company that focuses on Startups in India and to stories across the globe.

© 2024 StartupNews.fyi | DOTFYI Media Ventures Private Limited. All Rights Reserved.