CVE-2024-45489
📋 TL;DR
This vulnerability in the Arc browser allows attackers to create or update JavaScript boosts using another user's ID due to misconfigured Firebase ACLs. This installs malicious boosts in victims' browsers and executes arbitrary JavaScript in a privileged context. No users were actually affected as this was a cloud vulnerability requiring no user action.
💻 Affected Systems
- Arc Browser
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of victim's browser session allowing data theft, credential harvesting, and further system exploitation through the privileged JavaScript execution context.
Likely Case
Attackers could steal sensitive browser data, session cookies, and perform actions on behalf of the victim within the browser's privileged context.
If Mitigated
With proper Firebase ACL configurations, unauthorized boost creation/updates would be prevented, eliminating the attack vector.
🎯 Exploit Status
Exploitation requires ability to interact with Firebase backend but doesn't require user authentication or action. The vulnerability was discovered and fixed before any known exploitation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 2024-08-26
Vendor Advisory: https://arc.net/blog/CVE-2024-45489-incident-response
Restart Required: No
Instructions:
1. Ensure Arc browser is updated to version after 2024-08-26. 2. The fix is cloud-side and requires no user action - Firebase ACLs have been corrected.
🔧 Temporary Workarounds
Disable JavaScript Boosts
allPrevent JavaScript boosts from running in the browser
🧯 If You Can't Patch
- Monitor for suspicious boost creation activity in Firebase logs
- Implement network filtering to block unauthorized Firebase API calls
🔍 How to Verify
Check if Vulnerable:
Check Arc browser version - if before 2024-08-26, potentially vulnerable (though cloud fix is already deployed)Check Version:
Check Arc browser settings or about page for version informationVerify Fix Applied:
Verify browser is updated to version after 2024-08-26 and confirm Firebase ACLs are properly configured📡 Detection & Monitoring
Log Indicators:
- Unauthorized Firebase API calls to create/update boosts
- Suspicious boost creation with mismatched user IDs
Network Indicators:
- Unusual traffic to Firebase endpoints from unauthorized sources
- JavaScript payloads in boost creation requests
SIEM Query:
firebase AND (boost_create OR boost_update) AND user_id_mismatch