CyberSecurityBoard
Sponsor Register Login

Arc browser launches bug bounty program after fixing RCE bug

This development comes in response to a critical remote code execution flaw, tracked as CVE-2024-45489, that could have enabled threat actors to launch mass-scale attacks against users of the program. The Browser Company says new coding guidelines with an elevated focus on auditing and reviewing are now crafted, its incident response process is being revamped for better effectiveness, and new security team members will be welcomed aboard soon. A researcher found what they describe as a "catastrophic" flaw in the "Boosts" (user-created customizations) feature that allows users to use JavaScript to modify a website when it is visited. Regarding CVE-2024-45489, the Arc team notes in its latest announcement that auto-syncing of Boosts with JavaScript has been disabled, and a toggle to turn off all Boost-related features has been added on Arc 1.61.2, the latest version released on September 26. The researcher found that they could cause malicious JavaScript code to run in other users' browsers simply by changing a Boosts' creator ID to another person's ID. The Browser Company has introduced an Arc Bug Bounty Program to encourage security researchers to report vulnerabilities to the project and receive rewards. Although the flaw was present on the browser for quite a while, it was promptly addressed on August 26, 2024, a day after the researcher responsibly disclosed it to the Arc team, for which they were awarded $2,000. The flaw allowed attackers to exploit how Arc uses Firebase for authentication and database management to execute arbitrary code on a target's browser. The bug bounty program announced by the Browser Company covers Arc on macOS and Windows and Arc Search on the iOS platform. Bill Toulas Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks. When that Arc Browser user visited the site, it would launch the malicious code created by an attacker. Threat actors even used the browser's popularity to push malware to Windows users. Launched a little over a year ago, Arc quickly gained popularity thanks to its innovative user interface design, customization options, uBlock Origin integration, and speedy performance.

This Cyber News was published on www.bleepingcomputer.com. Publication date: Tue, 01 Oct 2024 22:36:12 +0000


Cyber News related to Arc browser launches bug bounty program after fixing RCE bug

Arc browser launches bug bounty program after fixing RCE bug - This development comes in response to a critical remote code execution flaw, tracked as CVE-2024-45489, that could have enabled threat actors to launch mass-scale attacks against users of the program. The Browser Company says new coding guidelines ...
1 year ago Bleepingcomputer.com CVE-2024-45489
Microsoft launches Defender Bounty Program with $20,000 rewards - Microsoft has unveiled a new bug bounty program aimed at the Microsoft Defender security platform, with rewards between $500 and $20,000. While higher awards are possible, Microsoft retains sole discretion to determine the final reward amount based ...
1 year ago Bleepingcomputer.com
The 20 Most Essential Crypto Bug Bounty Programs - Working with cryptocurrency has become more and more popular in the last few years, but it’s not without risks. It’s important for sites that conduct digital payments and transfers to have security measures in place to help keep your data safe ...
2 years ago Hackread.com Hunters
Arc Browser Announces Bug Bounty Program Following RCE Vulnerability - The Arc Browser Company has introduced the Arc Bug Bounty Program to recognize the critical role of the security research community. Divya is a Senior Journalist at Cyber Security news covering Cyber Attacks, Threats, Breaches, Vulnerabilities and ...
1 year ago Cybersecuritynews.com
Researchers Uncover New Technique to Exploit Azure Arc for Hybrid Escalation in Enterprise Environment and Maintain Persistence - IBM analysts identified multiple deployment vectors that introduce security vulnerabilities, including PowerShell scripts with embedded secrets, misconfigured System Center Configuration Manager (SCCM) deployments, and Group Policy Objects (GPOs) ...
3 months ago Cybersecuritynews.com
Netflix Paid Out Over $1 Million via Bug Bounty Program - Netflix has paid out more than $1 million for vulnerabilities found in its systems and products since the launch of its bug bounty program in 2016. The streaming giant said on Tuesday that more than 5,600 researchers have contributed to its program ...
1 year ago Packetstormsecurity.com Hunters
Record Breaking $153,000+ Already Invested into the Security of the WordPress Ecosystem by Wordfence - In just a few short months since our launch in November of last year, the Wordfence Bug Bounty Program has already awarded over $153,000 in bounties to WordPress security researchers who have been responsibly reporting security issues in WordPress ...
1 year ago Wordfence.com
HackerOne paid ethical hackers over $300 million in bug bounties - HackerOne has announced that its bug bounty programs have awarded over $300 million in rewards to ethical hackers and vulnerability researchers since the platform's inception. Thirty hackers have earned over a million USD for their submissions, and ...
1 year ago Bleepingcomputer.com Inception Hunters
Revolutionizing WordPress Bug Bounty and Security: Latest Enhancements to the Wordfence Bug Bounty Program - Our team has triaged around 2,140 vulnerability submissions, with about 1,320 deemed in-scope. Together with our researchers and software vendors, we've protected millions of websites from vulnerabilities - and this is just the beginning. We're ...
1 year ago Wordfence.com
$937 Bounty Awarded for Privilege Escalation and Local File Inclusion Vulnerabilities Patched in MasterStudy LMS WordPress Plugin - On February 25th, 2024, during our second Bug Bounty Extravaganza, we received a submission for a Privilege Escalation vulnerability in MasterStudy LMS, a WordPress plugin with more than 10,000 active installations. The next day on February 26th, ...
1 year ago Wordfence.com
Arc browser's Windows launch targeted by Google ads malvertising - A new Google Ads malvertising campaign, coinciding with the launch of the Arc web browser for Windows, was tricking people into downloading trojanized installers that infect them with malware payloads. The Arc browser is a new web browser featuring ...
1 year ago Bleepingcomputer.com
Pentagon Received Over 50,000 Vulnerability Reports Since 2016 - The US Department of Defense on Friday announced that it has processed 50,000 reports received as part of its continuous vulnerability disclosure program launched in November 2016. A first in the history of the federal government, the program was ...
1 year ago Securityweek.com
Pentagon Received Over 50,000 Vulnerability Reports Since 2016 - The US Department of Defense on Friday announced that it has processed 50,000 reports received as part of its continuous vulnerability disclosure program launched in November 2016. A first in the history of the federal government, the program was ...
1 year ago Packetstormsecurity.com
SquareX Reveals That Employees Are No Longer The Weakest Link, Browser AI Agents Are - SquareX’s research reveals that Browser AI Agents are more likely tofall prey to cyberattacks than employees, making them the new weakest link that enterprisesecurity teams need to look out for. Moreimportantly, employees using Browser AI Agents ...
3 months ago Cybersecuritynews.com
Google Patches Six Vulnerabilities With First Chrome Update of 2024 - Google on Wednesday announced the first Chrome security update of 2024, which resolves six vulnerabilities, including four reported by external researchers. All the four externally reported security defects are high-severity memory safety flaws, but ...
1 year ago Securityweek.com CVE-2024-0222 CVE-2024-0223 CVE-2024-0224 CVE-2024-0225
Google paid $10 million in bug bounty rewards last year - Google awarded $10 million to 632 researchers from 68 countries in 2023 for finding and responsibly reporting security flaws in the company's products and services. Though this is lower than the $12 million Google's Vulnerability Reward Program paid ...
1 year ago Bleepingcomputer.com Hunters
Google Chrome 120 Released with Patch for 10 Critical Security Flaws - Google has recently released Chrome 120 for Windows, Mac, and Linux. This version of Chrome comes with 10 security patches to ensure a safer browsing experience for its users. The most recent versions of Chrome available to users are 120.0.6099.62 ...
1 year ago Cybersecuritynews.com CVE-2023-6508 CVE-2023-6511 CVE-2023-6512
Microsoft now pays up to $40,000 for some .NET vulnerabilities - In February, it announced increased payouts for moderate-severity Microsoft Copilot (AI) security flaws and a 100% award multiplier for all Copilot bounty awards to incentivize AI research. Madeline Eckert, a senior program manager for Researcher ...
2 months ago Bleepingcomputer.com
HackerOne paid $81 million in bug bounties over the past year - HackerOne, a leading bug bounty platform, has paid out an impressive $81 million in bug bounties over the past year, highlighting the growing importance of coordinated vulnerability disclosure programs in cybersecurity. This milestone underscores the ...
6 days ago Bleepingcomputer.com
OpenAI is to Launch a AI Web Browser in Coming Weeks - The new browser will feature integrated AI agent capabilities designed to autonomously handle various online tasks, positioning OpenAI as a direct competitor to traditional browser giants like Google Chrome while advancing the company’s vision ...
2 months ago Cybersecuritynews.com
Zoom flaw enabled hijacking of accounts with access to meetings, team chat - A Zoom flaw that enabled the hijacking of service accounts with access to potentially confidential information was disclosed by bug hunters this week. The vulnerability in the Zoom Rooms feature mostly affected Zoom tenants using email addresses from ...
1 year ago Packetstormsecurity.com Rocke Hunters
Microsoft: Windows Server hotpatching to require subscription - Microsoft has announced that it will soon introduce paid subscriptions for Windows Server 2025 hotpatching, a service that enables admins to install security updates without restarting. Hotpatching has been available since February 2022 for Windows ...
5 months ago Bleepingcomputer.com
30,000 WordPress Sites affected by Arbitrary SQL Execution Vulnerability Patched in Visualizer WordPress Plugin - On April 10th, 2024, during our second Bug Bounty Extravaganza, we received a submission for an authenticated SQL Execution vulnerability in Visualizer, a WordPress plugin with more than 30,000 active installations. Props to Krzysztof Zając who ...
1 year ago Wordfence.com
Thinking outside the code: How the hacker mindset drives innovation - Keren Elazari is an internationally recognized security analyst, author, and researcher. Since 2000, Keren has worked with leading Israeli security firms, government organizations, innovative start-ups, and Fortune 500 companies. In this Help Net ...
1 year ago Helpnetsecurity.com
Mintlify Data Breach Leads to Exposure of Customer GitHub Tokens - AI-powered code documentation firm Mintlify says customer GitHub tokens were compromised in a data breach caused by a vulnerability in its systems, prompting it to launch a bug bounty program. Mintlify helps developers generate code documentation. It ...
1 year ago Securityweek.com Hunters

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)