Remote Code Execution in JavaScript Boosts via Misconfigured Firebase ACLs

CVE-2024-45489

What is CVE-2024-45489?

The vulnerability CVE-2024-45489 allows for remote code execution in JavaScript boosts in the Arc browser due to misconfigured Firebase ACLs. This flaw had the potential to allow unauthorized individuals to run arbitrary JavaScript on users' browsers, but the vulnerability was not exploited, aside from the security researcher who reported it. The Browser Company swiftly addressed the issue, implementing security enhancements and mitigation measures to prevent future similar vulnerabilities. The Company also plans to transition away from Firebase for new features to reduce the risk of future ACL-related vulnerabilities. No action is required from Arc browser users, as the vulnerability has been fully addressed.

News Articles

BleepingComputer

CVE-2024-45489

Arc browser launches bug bounty program after fixing RCE bug

The Browser Company has introduced an Arc Bug Bounty Program to encourage security researchers to report vulnerabilities to the project and receive rewards.

The Cyber Express

CVE-2024-45489

Arc Browser Vulnerability CVE-2024-45489: Details And Response

The Browser Company addressed the Arc browser vulnerability, ensuring user safety and implementing future security enhancements.

The Verge

CVE-2024-45489

Researcher reveals ‘catastrophic’ security flaw in the Arc browser

CVE-2024-45489 was patched in late August but would have allowed attackers to upload arbitrary code to victims with just a user ID.

References