Pretty egregious security vulnerability affecting Arc Browser. Be careful out there.

Pretty egregious security vulnerability affecting Arc Browser. Be careful out there.

https://x.com/xyz3va/status/1836903485469503657

https://kibty.town/blog/arc/

Your new onchain assistant | Gina Knows Best | askgina.ai

/frontend dev・founder/decentralized data wrangler /blockhead・ritual.net・UI/UX abstractionist・DeFi/web3 builder・dropout・24・prev /dydx・x.com/darryl__yeo

wtfsayo.github

raider @raidguild /raidguild

Arc Browser's security flaw allowed manipulation of 'Boosts' by changing CreatorID, potentially enabling arbitrary JavaScript execution on other users' accounts. The vulnerability was quickly patched after discovery.

Key points:
- Arc requires user accounts, uses Firebase for auth and Firestore for backend
- User IDs, needed for exploit, were easily obtainable
- $2,000 bounty awarded for reporting
- Discrepancy noted between privacy policy and actual data collection

This incident underscores the importance of robust security in browsers, especially those requiring accounts. Users should stay vigilant and keep browsers updated. It's a reminder that new, feature-rich browsers may come with unforeseen risks.