Full Report
Arc is a new browser focused on security and privacy. They recently added cloud functionality for storing CSS and JavaScript browser customization's called boosts. Firebase is a database-as-a-service. Instead of writing a full backend, you write security rules for what usres can and can't do. Although this tool is awesome, many folks have messed up the rules in the past. Reading the Firebase security rules, we can't modify other users data directly because it's queried by CreatorId. However, we can specify our boost to have another users ID! Most of the time, adding information to a user blind isn't helpful. In the case of JavaScript being ran in the browser, it's real bad though. To find user ids, an attacker can look for referrals, published boosts and whiteboards. To make matters worse, privileged pages in Chromium, such as chrome://settings were affected by this. Since these pages have special permissions, it's likely that RCE was possible. Arc decided to migrate off of Firebase in light of this issue. I personally haven't spent too much time looking at Firebase but it seems popular yet difficult to use securely. Good find!
Analysis Summary
# Vulnerability: Arc Browser Remote Code Execution via Firebase ACL Misconfiguration
## CVE Details
- **CVE ID:** CVE-2024-45489
- **CVSS Score:** 10.0 (Critical) - *Note: Based on the impact of full, remote, zero-click compromise of all users.*
- **CWE:** CWE-284: Improper Access Control (Specifically Firebase Security Rule Misconfiguration)
## Affected Systems
- **Products:** Arc Browser (The Browser Company)
- **Versions:** Versions prior to v1.61.1
- **Configurations:** Systems where "Boosts" (custom CSS/JS) were enabled and cloud-syncing with Firebase.
## Vulnerability Description
The vulnerability stems from an insecure Firebase Firestore security rule. Arc used Firebase to sync "Boosts"—user-created customizations for websites that run arbitrary JavaScript.
While the application logic prevented users from directly modifying other users' data by querying via `creatorID`, the database security rules allowed any authenticated user to create or update an entry in the `boosts` collection and manually set the `creatorID` field to any other user's unique identifier (UID). Because the browser client automatically pulls and executes Boosts matching the current user's UID, an attacker could "push" malicious JavaScript into another user's browser session.
## Exploitation
- **Status:** PoC available (confirmed by vendor and researcher).
- **Complexity:** Low (Requires knowing a victim's UID).
- **Attack Vector:** Network (Remote, zero-click for the victim).
**Exploit Flow:**
1. Potential attacker obtains a victim's `creatorID` (found via shared Easels, whiteboards, or published Boosts).
2. Attacker creates a new Boost in the Firebase database.
3. Attacker modifies the `creatorID` of the Boost to match the victim's UID and sets the `hostPattern` to a site the victim likely visits (e.g., `google.com`).
4. When the victim visits that site, the malicious JavaScript executes immediately.
## Impact
- **Confidentiality:** Total (Attacker can steal cookies, session tokens, and browsing data).
- **Integrity:** Total (Attacker can modify any webpage content or execute actions as the user).
- **Availability:** Total (Potential for RCE and browser instability).
- **Escalation:** The vulnerability affected privileged pages (e.g., `chrome://settings`), providing a path to full Remote Code Execution (RCE) and browser escape.
## Remediation
### Patches
- **Version 1.61.1:** Arc remediated the issue by correcting the Firebase ACLs and eventually migrating away from Firebase for these features.
### Workarounds
- **Disable Boosts:** Users could manually disable the Boosts feature in the client to prevent arbitrary code execution before the patch was applied.
## Detection
- **Indicators of Compromise:**
- Presence of unknown Boosts in the user's "My Boosts" section.
- Unexpected JavaScript behavior on high-traffic websites.
- **Detection Methods:** Audit of Firebase Firestore traffic for unauthorized `creatorID` assignments.
## References
- **Researcher Write-up:** hxxps://eva[.]site/posts/arc-vulnerability/
- **Vendor Advisory:** hxxps://arc[.]net/blog/CVE-2024-45489-incident-response
- **CVE Link:** hxxps://nvd[.]nist[.]gov/vuln/detail/CVE-2024-45489