One feature that sets the Arc browser apart from its competitors is the ability to customize a website. The feature called “Boost” allows users to change the background color of the website, switch to a font they like or choose a font that makes it easier for them to read and even remove unwanted elements from the page completely.
The changes they make shouldn’t be visible to anyone else, but they can share them across devices. Now, the browser company, Arc’s maker, has admitted that a security researcher found a serious flaw that allows attackers to use Boost to compromise their targets’ systems.
The company used Firebase, which the security researcher known as “xyzeva” described as a “database-as-a-backend service” in his post about the vulnerability, to support many Arc features.
For Boost, specifically, it’s used to share and sync customizations across devices.
In xyzeva’s post, he showed how the browser relies on the creator’s identity (CreatorID) to load boosts onto the device. He also shared how someone could change that element to the identity tag of their target and assign the boost to the target they created.
For example, if a bad actor creates a boost with a malicious payload, they could change their creator ID to the creator ID of their intended target. When the intended victim then visits a website on Arc, they could unknowingly download the hacker’s malware.
And as the researcher explained, it’s very easy for the browser to obtain a user ID. A user who refers someone to Arc will share their ID to the recipient, and if they also created an account from a referral, the person sending it will also get their ID.
Users can also share their boosts with others, and Arc has a page with public boosts that includes the creator IDs of the people who created them.
In its post, the browser company said that xyzeva notified it about the security issue on August 25 and it released a fix a day later with the help of the researcher. It also assured users that no one was able to exploit the vulnerability, with no users affected.
The company has also implemented several security measures to prevent a similar situation, including moving away from Firebase, disabling JavaScript by default on synced Boost, setting up a bug bounty program, and hiring a new senior security engineer.
The iPhone 16 Pro is the iPhone we would recommend to most people. Yes, its starting price of $999 might be high, but a smartphone is a long-term investment.
If the question is “Which iPhone will keep you happy for the next three to five years,” we think the iPhone 16 Pro’s advantages over the standard iPhone 16 and 16 Plus are still meaningful enough to be worth spending an extra $100-200 — even if the difference isn’t as big as it has been in years past.
For one thing, the iPhone 16 Pro’s blasted titanium frame base feels much better than the iPhone 16’s aluminum frame. It’s a little heavier than the standard 16 and last year’s iPhone 15 Pro, but it’s far from anchored, and its slightly curved edges feel nice to hold.
It runs on a slightly faster A18 Pro chip, which doesn’t make a huge difference in everyday tasks but is still more future-proof, especially if you have any interest in gaming or content creation. And while every iPhone 16 has a USB-C charging port, the Pro models support faster data transfer speeds (provided you have the right cable).
The most prominent upgrade is the display. While the OLED panels on the iPhone 16 Pro and the standard iPhone 16 are equally sharp and bright, the former is more spacious at 6.3 inches (instead of 6.1 inches), while the phone itself is just 0.08 inches taller and 0.02 inches thicker. This is mainly due to the Pro’s thinner bezels, which give you more room for streaming video and reading web pages, in a device that isn’t as cumbersome to hold.