Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

The Arc browser had just announced their bug bounty program. As a result, the author decided to search through for some low hanging fruit. Quickly, they found some interesting endpoints: arc://boost/v2/js and arc://boost/v2/css.

The functionality is a nice UI for creating boosts - effectively a nice extension with some more special configurations. Looking at the paths, they found the /play endpoint. This was base64 encoded data that was being converted to JSON. This was used for configuring the boosts.

The installed boost UI can have custom styling. This means that it's possible to change the contents via CSS to look like one boost but actually be another. Given that this requires a click to install, this trickery can be used to confuse a user to installing it.

When the boost is added, the information is added in a folder with several files storing this. In the JSON that was provided, you control the path of various files being stored. Naturally, these were vulnerable to directory traversal attacks on the file write. So, this gave them an arbitrary file write vulnerability.

The LaunchAgent plist files that are run whenever a user logs in or the system starts. By adding a file to this location, arbitrary commands will be executed. When the system restarts after the file write, the attacker has arbitrary command execution on the system.

After doing this research, they found that the /play endpoint was not mentioned anyway. To the author, this indicated that functionality was never meant for public use. To patch this, the functionality for the legacy boost builder was removed. They got a nice 10K bounty for reporting the vulnerability.