CVE-2024-52928 Overview
CVE-2024-52928 is a broken access control vulnerability [CWE-284] affecting the Arc browser on Windows prior to version 1.26.1. The flaw exists in the site settings permission model. Websites that already hold previously granted permissions can silently acquire additional permissions when a user clicks anywhere on the page. The attack requires no explicit consent dialog interaction beyond a single click. This bypasses the intended permission prompt flow that Arc enforces for sensitive browser capabilities such as camera, microphone, location, and notifications.
Critical Impact
A malicious or compromised website with any prior permission grant can escalate to additional high-impact permissions through a single user click, enabling unauthorized access to camera, microphone, geolocation, or other sensitive browser APIs.
Affected Products
- The Browser Company Arc for Windows versions prior to 1.26.1
- Microsoft Windows operating system (all supported versions running vulnerable Arc builds)
- Arc browser site settings permission subsystem
Discovery Timeline
- 2025-06-26 - CVE-2024-52928 published to the National Vulnerability Database
- 2025-07-10 - Last updated in NVD database
Technical Details for CVE-2024-52928
Vulnerability Analysis
The vulnerability resides in the Arc browser's site settings enforcement logic on Windows. Arc maintains per-origin permission state for sensitive web platform APIs. When an origin already holds at least one granted permission, the browser fails to require a discrete user gesture and explicit consent prompt for subsequent permission requests. Instead, any user click anywhere on the page satisfies the gesture requirement and grants additional permissions.
This collapses the security boundary between distinct permission categories. A site initially trusted for notifications could, after a single arbitrary click, acquire camera or microphone access without the user seeing a consent prompt. The behavior contradicts the standard Chromium permission model that Arc is built upon, where each sensitive capability requires its own user-mediated decision.
The Browser Company addressed the issue in Arc 1.26.1 for Windows. The macOS build was not identified as affected in the Arc Security Bulletin.
Root Cause
The root cause is improper access control [CWE-284] in the permission grant pathway. The browser treats prior permission grants as a partial trust signal and reduces the gesture and prompt requirements for subsequent permission requests from the same origin. Arc does not isolate permission decisions per capability and does not require an unambiguous consent action tied to the specific permission being requested.
Attack Vector
Exploitation requires a user to visit a malicious or compromised website that already holds at least one granted permission. The attacker hosts content that calls additional permission-gated APIs and waits for the user to click anywhere on the page. The click serves as the user interaction component but is not tied to a visible permission prompt. Common social-engineering layouts such as cookie banners, video players, or interactive UI elements satisfy the click requirement without raising suspicion.
No verified proof-of-concept code is publicly available. The vulnerability mechanism is documented in the vendor advisory rather than through released exploit artifacts.
Detection Methods for CVE-2024-52928
Indicators of Compromise
- Arc browser installations on Windows reporting a version string below 1.26.1 in arc://settings or executable metadata.
- Unexpected entries in Arc per-site permission state granting camera, microphone, geolocation, or notification access without a corresponding user-recalled prompt.
- Outbound connections from Arc.exe to untrusted domains immediately followed by permission-state changes in the Arc user profile directory.
Detection Strategies
- Inventory all Windows endpoints for the presence of Arc.exe and extract the file version from the binary metadata to identify hosts running versions below 1.26.1.
- Monitor the Arc user profile directory under %LOCALAPPDATA%\Packages or the Arc install path for modifications to site-settings databases that occur outside of user-initiated permission prompts.
- Correlate browser process telemetry with media device access events (camera and microphone activation) to identify activations not preceded by a visible permission dialog.
Monitoring Recommendations
- Enable endpoint telemetry that captures process execution, child processes of Arc.exe, and access to MMDevice or AudioCapture interfaces.
- Log DNS and HTTP egress from Arc browser processes and flag connections to newly registered or low-reputation domains.
- Track software inventory changes and alert when Arc remains pinned to a version below 1.26.1 after the patch availability date.
How to Mitigate CVE-2024-52928
Immediate Actions Required
- Upgrade Arc for Windows to version 1.26.1 or later on all endpoints. The patched build is available from The Browser Company through the in-app updater.
- Audit existing per-site permission grants in Arc and revoke any permissions that users do not recognize or that were issued to non-essential origins.
- Restrict installation of Arc browser through application allowlisting until all endpoints are confirmed to be running the fixed version.
Patch Information
The Browser Company released Arc 1.26.1 for Windows containing the fix for CVE-2024-52928. Details are published in the Arc Security Bulletin. Users should verify the running version through the Arc settings interface and trigger an update if the version is below 1.26.1.
Workarounds
- Revoke all non-essential site permissions in Arc until the browser is updated, reducing the set of origins that can trigger the bypass.
- Disable sensitive device access at the operating system level by removing camera, microphone, and location permissions from the Arc application in Windows Settings under Privacy & Security.
- Restrict use of Arc on Windows endpoints to non-sensitive browsing tasks until the patched version is deployed across the environment.
# Verify installed Arc version on Windows endpoints via PowerShell
Get-ChildItem -Path "$env:LOCALAPPDATA\Microsoft\WindowsApps\Arc.exe","$env:LOCALAPPDATA\Programs\Arc\Arc.exe" -ErrorAction SilentlyContinue |
ForEach-Object { (Get-Item $_.FullName).VersionInfo | Select-Object FileName, ProductVersion }
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
