The Browser Company has introduced an Arc Bug Bounty Program to encourage security researchers to report vulnerabilities to the project and receive rewards.
This development comes in response to a critical remote code execution flaw, tracked as CVE-2024-45489, that could have enabled threat actors to launch mass-scale attacks against users of the program.
The flaw allowed attackers to exploit how Arc uses Firebase for authentication and database management to execute arbitrary code on a target’s browser.
A researcher found what they describe as a “catastrophic” flaw in the “Boosts” (user-created customizations) feature that allows users to use JavaScript to modify a website when it is visited.
The researcher found that they could cause malicious JavaScript code to run in other users’ browsers simply by changing a Boosts’ creator ID to another person’s ID. When that Arc Browser user visited the site, it would launch the malicious code created by an attacker.
Although the flaw was present on the browser for quite a while, it was promptly addressed on August 26, 2024, a day after the researcher responsibly disclosed it to the Arc team, for which they were awarded $2,000.
Arc Bug Bounty Program
The bug bounty program announced by the Browser Company covers Arc on macOS and Windows and Arc Search on the iOS platform.
The set payouts can be summarized in the following four main categories, depending on the severity of the discovered flaws:
- Critical: Full system access or exploits with significant impact (e.g., no user interaction required). Reward: $10,000 – $20,000
- High: Serious issues compromising session integrity, exposing sensitive data, or enabling system takeover (including certain browser extension exploits). Reward: $2,500 – $10,000
- Medium: Vulnerabilities affecting multiple tabs, limited session/data impact, or partial access to sensitive info (may require user interaction). Reward: $500 – $2,500
- Low: Minor issues needing significant user interaction or limited in scope (e.g., insecure defaults, hard-to-exploit bugs). Reward: Up to $500
More details about Arc’s Bounty Program are available here.
Regarding CVE-2024-45489, the Arc team notes in its latest announcement that auto-syncing of Boosts with JavaScript has been disabled, and a toggle to turn off all Boost-related features has been added on Arc 1.61.2, the latest version released on September 26.
Also, an audit conducted by an external auditing expert is underway and will cover Arc’s backed systems.
A new MDM configuration option to disable Boosts for entire organizations will be released in the coming weeks.
The Browser Company says new coding guidelines with an elevated focus on auditing and reviewing are now crafted, its incident response process is being revamped for better effectiveness, and new security team members will be welcomed aboard soon.
Launched a little over a year ago, Arc quickly gained popularity thanks to its innovative user interface design, customization options, uBlock Origin integration, and speedy performance. Threat actors even used the browser’s popularity to push malware to Windows users.