The vulnerability was linked to Arc’s “Boost” feature, which allows users to customize websites using CSS and JavaScript. While the company had previously restricted access to “boosts” that included custom JavaScript, a loophole in Firebase’s backend configuration allowed users to change the creator ID after the boost was created. This could potentially allow attackers to sync the boost to another user’s device if they were to compromise the user ID through various means.
To improve security, the Browser Company has disabled JavaScript by default in synced power-ups, requiring users to explicitly enable it on other devices. The company also plans to stop using Firebase for new features and beef up its security team.
Source: Ferra
I am a professional journalist and content creator with extensive experience writing for news websites. I currently work as an author at Gadget Onus, where I specialize in covering hot news topics. My written pieces have been published on some of the biggest media outlets around the world, including The Guardian and BBC News.
