Arc browser launches bug bounty program following worrying issues

News
By
published

Cybersecurity researchers can now earn money by helping secure the Arc browser

screenshot of arc browser
(Image credit: Future)

Security researchers can now earn money by finding bugs in the Arc browser, the company has revealed.

The Browser Company, the owners and maintainers of the software, have announced a new bounty program to help them plug dangerous holes.

Rather unimaginatively called the Arc Bug Bounty Program, users can hunt for bugs on macOs and Windows, and in the Arc Search on the iOS platform.

Arc browser flaws

Depending on the severity of the vulnerability discovered, the researchers can expect different payouts.

Low-severity issues can earn them up to $500, medium ones anywhere between $500 and $2,500, while high ones pay out between $2,500 and $10,000. Discovering a critical vulnerability, which grants full system access or can otherwise result in significant impact, pays out anywhere between $10,000 and $20,000.

The Browser Company decided to set up its own bug bounty program after being tipped off about CVE-2024-45489.

This was a critical vulnerability affecting versions before 2024-08-26, allowing for remote code execution through JavaScript boosts. In the Arc browser, "Boosts" are tools that allow users to customize websites by changing their appearance or functionality.

The problem arises from misconfigured Firebase Access Control Lists (ACLs), which allow attackers to create or update a JavaScript boost using another user's ID. This leads to the malicious installation of the boost in the victim's browser, where it runs arbitrary code with elevated privileges. Despite the severity, this vulnerability is categorized as a "no-action" issue, meaning there are zero affected users due to cloud protections​. This is also probably why the researcher who disclosed the vulnerability was only awarded $2,000 for their discovery.

The bug was addressed in late August 2024, by disabling auto-syncing of Boosts with JavaScript. Furthermore, late last month, the team added a toggle to turn off all Boost-related features.

Via BleepingComputer

More from TechRadar Pro

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.