Arc had a catastrophic security vulnerability that would have allowed anybody to compromise every user of Arc. But, much more concerning, the vulnerability research revealed that Arc sent a record to their own backend of every site you visited. Here is the article:
Here is further discussion, including from programmers about how scandalous these failures are:
For myself, I’m removing Arc from my computer right away.
No, I can’t see anything in the writeup that says Arc saves a record of every website you visit.
The vulnerability was a way of remotely executing JavaScript on someone’s computer if the attacker could determine their user ID.
Here’s the official response from The Browser Company.
Hursh here, CTO and Cofounder of The Browser Company. We want to let all Arc users know that a security vulnerability existed in Arc prior to 8/25/24. We were made aware of a vulnerability on 8/25, it was fixed on 8/26. This issue allowed the possibility of remote code execution on users’ computers. We’ve patched the vulnerability immediately, already rolled out the fix, and verified that no one outside of the security researcher who discovered the bug has exploited it. This means no members were affected by this vulnerability, and you do not need to take any action to be protected.
…
In terms of this specific issue, we are making a number of changes to avoid this moving forward and to improve our communication around security vulnerabilities:
We’ve fixed the issues with leaking your current website on navigation while you had the Boost editor open. We don’t log these requests anywhere, and if you didn’t have the Boosts editor open these requests were not made. Regardless this is against our privacy policy and should have never been in the product to begin with.
We’re disabling Javascript on synced Boosts by default. Any Boost with custom Javascript that was created on another device will need to be explicitly enabled moving forward.
We’re adding MDM configuration to disable Boosts for your entire organization.
We’re moving off Firebase for new features and products, mitigating future issues with ACLs.
We’re doing an emergency and more in-depth external audit of our existing Firebase ACLs to ensure there are no other vulnerabilities, in addition to our external security audits every six months. We are still planning to move off Firebase for all future features.
We’re establishing a security bulletin with clear comms around vulnerabilities, mitigations, and who was affected. We’ve been really inspired by Tailscale’s excellent security reporting, and we want to hold ourselves to the same standard.
We’re establishing clearer guidelines for bounties, specifying which severity levels warrant particular reward amounts.
We’re adding security mitigations to our release notes. Since this was a server-side fix, it didn’t occur to us to include it in our client release notes, but since that’s the major venue where members get information about updates in Arc, they should be included there.
We’re also bolstering our security team, and have hired a new senior security engineer.