tags:browserarc original link: gaining access to anyones browser without them even visiting a website newsletter link: exploits.club Weekly Newsletter 40 - iOS Kernel Exploitation, CET Bypasses, Elgato Hardware Repair, And More
Exploits Club Summary:
When we think browser 0day, we typically do not think FirebaseâŠand maybe thats our problem. In a new post, @xyz3va talks through a crazy vuln she found in Arc browser. Essentially, with Frida and some ObjectiveC, she was able to identify the browser seemed to be using Firestore. From there, she realized these things called âArc boostsâ (basically just ways to customize certain websites inside Arc) are also stored in Firestore for each user, and can contain arbitrary Javascript. These are retrieved via userId andâŠyep you can just change your own userId. So she created a âmaliciousâ Arc boost, and then changed her userId to a victim Id and boom, popped the victims browser.