Hursh Agrawal, CEO of The Browser Company, on the company blog:

We want to let all Arc users know that a security vulnerability existed in Arc prior to 8/25/24. We were made aware of a vulnerability on 8/25, it was fixed on 8/26. This issue allowed the possibility of remote code execution on users’ computers. We’ve patched the vulnerability immediately, already rolled out the fix, and verified that no one outside of the security researcher who discovered the bug has exploited it.

The vulnerability was discovered by “xyzeva”, who has an awesome write up on their blog, including this summary of the facts:

• arc boosts can contain arbitrary javascript
• arc boosts are stored in firestore
• the arc browser gets which boosts to use via the creatorID field
• we can arbitrarily change the creatorID field to any user id

thus, if we were to find a way to easily get someone elses user id, we would have a full attack chain

This was an incredible find, and honestly, quite a sloppy bug. I’ve been using Arc for a few months now as my daily driver and I really like it. Glad this is fixed.

Also, nice to see that Arc is taking care of the hacker for disclosing this vulnerability properly with a $20k bounty.