A severe security flaw was discovered in the Arc browser, but it was patched almost immediately. If only proprietary software were this responsive.
Last month, security researcher xyz3va uncovered a serious vulnerability in the Arc browser. The issue involved Firestore, a backend database service used by developers to handle app data. It turns out that Firestore didn’t always respect system proxy settings, prompting xyz3va to create a script to exploit this weakness. The exploit worked.
In Arc, certain user preferences—like “boosts”—are stored in Firestore. These boosts allow users to customize websites by modifying elements, changing colors, fonts, and even running custom CSS or JavaScript. The vulnerability in Firestore allowed xyz3va to alter the “creatorID” field, which could then be exploited by hackers. With access to a user’s ID, a malicious actor could craft a full attack chain by discovering IDs through user referrals, published boosts, or user easels.
That sounds pretty alarming, doesn’t it? In fact, “catastrophic” is a fitting term for this bug.
However, in a rare and commendable move, The Browser Company, which developed Arc, responded swiftly, much like open-source projects typically do. After xyz3va reported the issue to co-founder Hursh Agrawal, the company had already fixed the bug and released the update the very next day.
Such rapid response is rare in the world of proprietary software. Typically, when a vulnerability is found, the company must verify the issue, develop a fix, and navigate through layers of bureaucracy and red tape, often leading to delays in issuing a patch. In contrast, The Browser Company’s quick action here shows how swiftly things can be done when a company prioritizes security and user trust.
This stands in stark contrast to the usual pace seen in many other software companies, where it can take weeks—or even months—to address major security flaws. Arc’s prompt resolution is a stellar example of how to handle such issues efficiently and without delay.
It’s this kind of quick response to security issues that can win new users, as it demonstrates the company’s commitment to protecting user privacy and safety. This incident only strengthens my trust in Arc and The Browser Company, and I’ve been a dedicated user of the Arc Browser on MacOS for almost a year.