a minute ago
Oop and I just convinced my wife and brother to move over :o
Props to her, she asked about the security and privacy of the browser and I played it off with some fanboy propaganda. Lesson learned on that one. If I only care about the vertical tabs, workspaces, and a (decent) mobile app are there any good equivalents right now?
2 hours ago
https://www.crunchbase.com/organization/the-browser-company/...
> Total Funding Amount $68M
the browser company normally does not do bug bounties, but for this catastrophic of a vuln, they decided to award me with $2,000 USD
I'm struggling to put into words how disappointing I find this.
32 minutes ago
I've got a different take. If they're in the VC phase, that means they are not self sufficient. The amount of funding that they've raised is no indication what-so-ever of a) how much of that funding has actually been realized / received b) what their overhead is and c) what their overall financial picture looks like.
I do wish that more companies would take privacy and security seriously. And bug bounty programs are great. But they're not always within the budget of companies and the fact that they decided to award this security researcher regardless of having no such program is a massive win in my opinion and shows how much they value this particular contribution.
18 minutes ago
Thanks for the reply! I think I disagree with you, mostly because it seems like this particular bug could have been company-destroying because of the potential reputation hit if it was exploited on a wide scale.
But regardless, I appreciate your perspective and it gives me some stuff to consider I hadn't previously.
2 hours ago
This is 100% company culture, probably the ones that decide this kind of things are not technical or don't understand how important is this.
10 minutes ago
They disclosed the vulnerability directly to the co-founder CTO.
> the timeline for the vulnerability:
> aug 25 5:48pm: got initial contact over signal (encrypted) with arc co-founder hursh
> aug 25 6:02pm: vulnerability poc executed on hursh's arc account
3 hours ago
I just want to call out that there is a lot of blame put on firebase here in the comments but I think that's just people parroting stuff they don't actually know about (I don't use firebase, I have tried it out in the past though). This isn't some edge case or hard to solve thing in firebase, this is the easy stuff.
The real issue here is that someone wrote an api that trusted the client to tell it who they were. At the end of the day this is an amateur mistake that likely took a 1 line diff to fix. Don't believe me? Check out the docs: https://firebase.google.com/docs/rules/rules-and-auth#cloud-... - `request.auth` gives you the user id you need (`request.auth.uid`).
an hour ago
As someone with an app built on firebase, yes. As the author rightly points out, it's very easy to misconfigure, but basic security practices like these are highlighted in bright, bold warning text in the Firebase docs.
Security rules are meant to be taken seriously, and it's your only line of defense.
29 minutes ago
> bold warning text in the Firebase docs.
Unfortunately, we currently have an industry where highly paid "engineers" unironically believe that their job can be done by reading/watching random tutorials, googling for StackOverflow answers, and pasting code from gists.
Attentively reading documentation or developing a mental model of how your tools work so that you know how they are built to be handled does not make it on to any job listing bullet points. It presumably fell off the bottom in favor of team spirit or brand enthusiasm or whatever.
How many tutorials, community answers, and gists do you think conveyed that warning?
2 minutes ago
Reading/watching random tutorials and asking basic question on SO __instead of reading the official docs__ is a trend I've observed for the last 15 years. Even for stuff pretty well documented like Python, Postgres, React, etc.
2 minutes ago
Nobody reads docs dude. They copy and paste stack overflow answers, and now, copilot answers, which is going to be based on stack overflow ultimately anyway.
an hour ago
I think a system that makes it this easy to shoot yourself in the foot is probably not a great system. Documentation is important, and I'm glad it's clear and obvious, but humans make mistakes. You'd hope that the mistakes have less dire consequences.
5 minutes ago
[delayed]
6 hours ago
>privacy concerns >while researching, i saw some data being sent over to the server, like this query everytime you visit a site:
> firebase .collection("boosts") .where("creatorID", "==", "UvMIUnuxJ2h0E47fmZPpHLisHn12") .where("hostPattern", "==", "www.google.com");
> the hostPattern being the site you visit, this is against arc's privacy policy which clearly states arc does not know which sites you visit.
4 hours ago
What sort of data does Arc track? Our plain-english Privacy Policy summarizes it well:
We don’t know which websites you visit
3 hours ago
From the quoted snippet, every page load is leaking both the domain and authed user’s ID to Firebase.
2 hours ago
Yeah but if they super promise to not look at incoming Firebase queries they're not tracking you, right?
2 hours ago
The super promise died with crypto, now you have to add no backsies. My site uses No Backsies Proofs (NBPs) which are encrypted to prove that all my super promises are backed by a no backsie which is stored in the no backsie vault in Antarctica.
an hour ago
Later on moxie ends up writing a quick review of NBPs
> Instead of storing the data on-chain, NBPs instead contain a URL that points to the data. What surprised me about the standards was that there’s no hash commitment for the data located at the URL. Looking at many of the NBPs on popular marketplaces being sold for tens, hundreds, or millions of dollars, that URL often just points to some VPS running Apache somewhere. Anyone with access to that machine, anyone who buys that domain name in the future, or anyone who compromises that machine can change the image, title, description, etc for the NBP to whatever they’d like at any time (regardless of whether or not they “own” the token). There’s nothing in the NBP spec that tells you what the image “should” be, or even allows you to confirm whether something is the “correct” image.
8 minutes ago
this is why my startup is launching backsies rollups for the blob, with null-effect prebacksies. this way everyone can be assured that any backsies issued are technically equivalent to just not making the original agreement! if you can discover a post-agreement backsie within the availability period of 0 days, and we can confirm it, we'll pay you $2,000 no backsies. so we have a market incentive not to lie to you. it's very efficient
36 minutes ago
I would feel more comfortable if your super promises were all on a blockchain, and we made No Backsie NFTs so people could clearly see these were legitimate and bid on them.
14 hours ago
There are a lot of major security vulnerabilities in the world that were made understandably, and can be forgiven if they're handled responsibly and fixed.
This is not one of them. In my opinion, this shows a kind of reputation-ruining incompetency that would convince me to never use Arc ever again.
6 hours ago
On the other hand, this is pretty impressive:
aug 25 5:48pm: got initial contact over signal (encrypted) with arc co-founder hursh
aug 25 6:02pm: vulnerability poc executed on hursh's arc account
aug 25 6:13pm: added to slack channel after details disclosed over encrypted format
aug 26 9:41pm: vulnerability patched, bounty awarded
sep 6 7:49pm: cve assigned (CVE-2024-45489)
EDIT: Oh, the date changed; so it was 28 hours until fix. Still decent; and half an hour from initial contact to "Join our slack channel" is incredibly fast response time.
4 hours ago
Reacting fast is the least the vendor could do. Bare minimum. This should not be applauded. It should be treated as "well, at least they reacted at a reasonable speed so the root cause was probably not malice".
In other words, a quick turnaround with a fix does not lessen the impact of being negligent about security when designing the product.
2 hours ago
> Reacting fast is the least the vendor could do.
And yet, so few do. Let's remind ourselves the bar sank into the floor a long time ago.
2 hours ago
"They put the bandaid over the wound caused by a flagrant disregard for the users privacy, security, and safety."
Phew, glad that's over and will never happen again.
6 hours ago
28 hours (note the date), but still
7 hours ago
The mandatory account just to try Arc was always a massive red flag to me - and led to me never trying it. Now I’m glad I didn’t!
2 hours ago
You could have just borrowed someone else’s, it appears.
17 minutes ago
Ironically, that would help the privacy concerns since it would intermingle all traffic in their analytics system. Win-win!
5 hours ago
Honestly I’ve always considered Arc to be a wolf in sheep’s clothing, especially when it comes to privacy.
50-60mm cash at 500mm (!) valuation and no business model is a big red flag when it comes to something as important, as personal as a browser. This is not a charity. Someone, somehow will have to pay for that.
4 hours ago
Yeah I’m so torn. It’s honestly the best browser UX I’ve seen, the right combination of vertical tabs, auto archiving, spaces/collections, sync, etc. I don’t care for Easels, but the core is good.
Except… the growth hacks have started to creep in. They overlay an advert for their own AI services on top of regular Google search results pages in their mobile app. Not even a browser chrome UI element, it’s literally over the page content. That feels like a huge violation of what it means to be a browser.
I don’t want their AI features. I don’t want growth hacks. I don’t want to sign in except for sync. I’d happily pay $40 a year for Arc as a product-focused-product, but as a VC-focused-product it’s heading downhill.
2 hours ago
It does get a lot right and feels smooth in ways that Chrome, the various Chrome-clones, and Firefox just don't. It's also ironically the only browser even trying to feel native on Windows, using WinUI/WinAppSDK for its UI there, despite originally being Mac only.
It's unfortunate that other cross platform browsers have such a strong tendency to phone in these little things, because they really do add up to make for a nicer experience.
4 minutes ago
I'm torn for the same reason: The UX hits all the right notes for me and I've tried every MacOS browser under the sun. I'm an ADHD sufferer and there's something about their combination of features and UI that just lets me get stuff done. And I don't even touch their AI features.
This is all really sad news.
an hour ago
You might like Zen Browser https://zen-browser.app/
29 minutes ago
Or Floorp: https://floorp.app
3 hours ago
Have you tried Vivaldi? It's really customizable and has a lot of features.
13 hours ago
Also, firebase? seriously? this is a company with like, low level software engineers on payroll, and they are using a CRUD backend in a box. cost effective I guess? I wouldn't even have firebase on the long list for a backend if I were architecting something like this. Especially when feature-parity competitors like Supabase just wrap a normal DBMS and auth model.
9 hours ago
> low level software engineers on payroll
How does The Browser Company make money? They're giving their product away for free.
Browsers are complicated. It doesn't inspire confidence that the folks in charge of that complexity can't get their heads around a business model.
(Aside: none of their stated company values have anything to do with the product or engineering [1]. They're all about how people feel.)
5 hours ago
They don't have a business model yet, is the thing.
6 hours ago
I don't see an issue, using something like Firebase is what a smart engineer would do. Just this one piece of logic is a problem.
5 hours ago
I tend to agree with this. Why re-invent the wheel by spending engineering effort building a CRUD backend?
If you're trying to bring value to market, focus on your core differentiator and use existing tooling for your boilerplate stuff.
4 hours ago
It’s the “chrome replacement we have been waiting for”, but (if I read this right), my data is still sent to Firebase? Also it’s a browser, not a “tinder but for cats” startup idea I’m writing for my cousin for a beer.
It’s not only not a smart engineering decision, it’s also a terrible product, reputation and marketing decision.
3 hours ago
I'm not disagreeing about the severity of the security vulnerability that has been uncovered – to be clear, it's an absolute shocker of a bug. It's really disappointing to see.
But I still disagree that the use of Firebase, in and of itself, is a bad engineering decision. It's just a tool, and it's up to you how you use it.
Firebase gives you all features needed to secure your backend. But if you configure it incorrectly, then _that's_ where the poor engineering comes into play. It should have been tested more comprehensively.
Sure. You could build your own backend rather than using a Backend-as-a-Service platform. But for what gain? If you don't test it properly, you'll still be at risk of security holes.
2 hours ago
> a “tinder but for cats” startup idea
Needs a name. Meowr? Hissr?
7 hours ago
This convinced me to never use Arc again. I created a small guide to migrate from it to an open-source alternative: https://gist.github.com/clouedoc/4acc8355782f394152d8ce19cea...
TL;DR: it's not possible to export data from Arc, but it's possible to copy-paste the folder to a Chrome profile, and Firefox and other browsers will detect&import it.
25 minutes ago
I also wrote a guide on ARC features that work better on Firefox: https://thannymack.com/#Arc%20features%20that%20work%20bette...
4 hours ago
Unfortunately, Zen Browser simply isn't an alternative. If you like Arc, then Zen's UI for tabs and splitting views isn't really anywhere close to satisfying the same needs.
2 hours ago
At least Firefox seems to be borrowing some of the UI features slowly. At least the Mozilla Foundation is very public with their wants and goals.
an hour ago
Firefox seems to be borrowing some of the UI features slowly (at least the vertical tabs). And at least the Mozilla Foundation is very public with their wants and goals.
14 hours ago
You’d think that a company shipping a browser would pay a little more attention to security rules.
Also, shame on firebase for not making this a bit more idiot proof.
And really? $2500? That’s it? You could’ve owned literally every user of Arc… The NSA would’ve paid a couple more zeros on that.
7 hours ago
> You could’ve owned literally every user of Arc… The NSA would’ve paid a couple more zeros on that.
only the 17 users they have.
Shouldn't a government sue you if you try to sell him out vuln unless you personally know people in charge?
7 hours ago
Firestore rules are in "lock mode" (no read or write allowed) by default since a long time. Then, everything is ultra well explained in the docs.
I was already aware of it when being a noob dev 10 years ago, and could easily write a rule to enforce auth + ownership in the rules. No way, seasoned devs can miss that.
13 hours ago
Are there a lot of Arc users? It seems like a pretty niche browser even compared to other niches.
10 hours ago
Lots of developers and power users make a good chunk of Arc's use base. If you're after some interesting credentials then "every Arc user" is a perfect group with little noise.
10 hours ago
> power users
Not that many. Most power users don't like to be forced for logging in, before they are able to use the browser.
9 hours ago
If I had to guess, the typical Arc user is a Mac user in tech. It doesn't run on Linux, most windows users wouldn't run it, and non-tech people haven't heard of it.
Then most engineering IC people will most likely run Firefox or Chrome, so you're probably looking at designers/founders/managers as your target.
Probably some interesting targets there, but not the type that the NSA cares about. Just pure conjecture on my part of course ;).
8 hours ago
The only person I ever saw using Arc was a designer at a tech startup, so this checks out.
5 hours ago
I've seen quite a few. In one of my clients's Slack there are at least a couple people advocating for it all the time. They're mostly DLs or in similar roles. I also know at least one developer who uses it.
I used it for a while for a very limited use case. Some interesting concepts. Mostly I found it annoying though. I also didn't like the sign-in thing but still wanted to experiment. I have dropped it altogether and kept Firefox as main browser (as it's been for many years) and Safari as a secondary. Both work much better overall for my needs.
9 hours ago
confirmed
i don't even like logging in WHILE using the browser and have never heard of arc
12 hours ago
Having arbitrary browser access would be pretty valuable, even for just a small number of users.
8 hours ago
my brother uses arc browser , he is a developer . I think he saw it from somebody using it (maybe theo t3 or some other creator he watches) , and he found it cool (plus there were lot of videos flooded with saying arc is really great IDK)
If someone finds something cool on the internet. They are going to try it , given that they are capable to do so.
He had a mac so he was able to do so , Even I tried to run arc on windows once when it was really beta and only available to mac (I think now it supports windows not sure)
I just kindly want to state that if the nsa could've bought this exploit , they could've simply waited and maybe even promote arc themselves (seems unlikely)
Maybe they could've tried to promote the numbers of arc users by trying to force google and microsoft search engine through some secret shady company advertising / writing blog posts for arc / giving arch funding or like how we know that there are secret courts in america
( and since these search engines basically constitutes for a high percentage of discovery of stuff by search engine by users)
People could've credited the success to arc in that case for getting more users but the real winner would've been NSA.
3 hours ago
A couple? A vuln like this is worth >$1M very easily on the market.
10 hours ago
The page says $2,000.
8 hours ago
yes. I feel sad that now we have created an incentive where selling to the govt.'s is often much lucrative than telling to the vulnerable party (arc in this case)
(just imagine , this author was great for telling the company , this is also a cross platform exploit with very serious issues (I think arc is available on ios as well))
how many of such huge vulnerabilities exist but we just don't know about it , because the author hasn't disclosed it to the public or vulnerable party but rather nsa or some govt. agency
5 hours ago
What is Arc?
8 hours ago
I agree & disagree.
Browsers are very important part of our life. If someone compromises our browsers , they basically compromise every single aspect of privacy and can lead to insane scams.
And because arc browser is new , they wanted to build fast and so they used tools like firebase / firestore to be capable of moving faster (they are a startup)
Now I have read the article but I am still not sure how much of this can be contributed to firebase or arc
On the following page from same author (I think) https://env.fail/posts/firewreck-1 , tldr states
- Firebase allows for easy misconfiguration of security rules with zero warnings
- This has resulted in hundreds of sites exposing a total of ~125 Million user records, including plaintext passwords & sensitive billing information
So because firebase advocates itself to the developers as being safe yet not being safe , I think arc succumbed to it.
firestore has a tendency to not abide by the system proxy settings in the Swift SDK for firebase, so going off my hunch,
Also , you say that you have been convinced to never use arc again.
Did you know that chrome gives an unfair advantage to its user sites by giving system information (core usage etc.) and some other things which are not supposed to be seen by browsers only to the websites starting with *.google.com ?
this is just recently discovered , just imagine if something more serious is also just waiting in the shadows Couldn't this also be considered a major security vulnerability just waiting to be happen if some other exploit like this can be discovered / google.com is leaked and now your cpu information and way more other stuff which browsers shouldn't know is with a malicious threat actor ?
7 hours ago
I very much agree with the idea that browsers are security-sensitive software, unlike, say, a picture editor, and more like an ssh server. It should be assumed to be constantly under attack.
And browser development is exactly not the area where I would like to see the "move fast, break things" attitude. While firebase may be sloppy with security and thus unfit for certain purposes, I would expect competent developers of a browser to do due diligence before considering to use it, or whatever else, for anything even remotely related to security. Or, if they want to experiment, I'd rather that be opt-in, and come with a big banner: "This is experimental software. DO NOT attempt to access your bank account, or your real email account, or your social media accounts".
With that, I don't see much exploit potential in learning stats like the number of cores on your machine. Maybe slightly more chances of fingerprinting, but nothing comparable to the leak through improper usage of firebase.
7 hours ago
You do know that there are more than chrome and arc right?
4 hours ago
> Did you know that chrome gives an unfair advantage to its user sites by giving system information (core usage etc.) and some other things which are not supposed to be seen by browsers only to the websites starting with *.google.com ?
That's pretty interesting. Where can I learn more about this?
an hour ago
I recall there being a thread with way more discussion at the time, but I can't put my finger on that thread right now. This post has some information:
3 hours ago
>>Did you know that chrome gives an unfair advantage to its user sites by giving system information (core usage etc.) and some other things which are not supposed to be seen by browsers only to the websites starting with *.google.com ?
Yeah so using chrome based browsers like Arc is giving more power to Google to do shady stuff while also being a victim of the third party unsafe code.
13 hours ago
I just wanted to say, I enjoyed the little pixel art cat that runs towards wherever you click immensely. It’s one of those fun, whimsical little touches that I don’t see all that often. A reminder that the internet can be a fun, whimsical place if we want it to be :)
11 hours ago
As I didn’t get that, it seems like the dev honors prefers-reduced-motion, and doesn’t display it in that case. Excellent of them, give joy to those who want it, prevent annoyances for those who hate them.
3 hours ago
It does: https://github.com/adryd325/oneko.js/blob/main/oneko.js
const isReducedMotion =
window.matchMedia(`(prefers-reduced-motion: reduce)`) === true ||
window.matchMedia(`(prefers-reduced-motion: reduce)`).matches === true;
if (isReducedMotion) return;
10 hours ago
Same for me, on FF you can override it with:
about:config
ui.prefersReducedMotion = 0
11 hours ago
On Debian, you can install and run the cat with
sudo apt install oneko
oneko &
7 hours ago
Well that was a rabbit hole.
Current version is hard to even see with high-res screens. A few checks shows endless ports, code from the 90s and before, and all sorts of other fun.
Wonder if the author will reply.
3 hours ago
You have sudo access to your colleagues computers?
13 hours ago
It's doing great for being a 35-year-old cat!
6 hours ago
And here I was wishing it would go away and trying to find a way to hide it because on my phone it was always covering text. Firefox reader mode worked.
4 hours ago
For the curious, that specific cat goes back to 1989:
7 hours ago
I did not. On the firefox mobile browser it was just using screen space.
11 hours ago
On desktop it follows the mouse no need to click.
4 hours ago
I guess it's removed? I don't see it. On Windows Chrome.
5 hours ago
It is distracting and annoyed me, I stopped reading because of it.
5 hours ago
I thought it just ran around on the top line of the header, and was quite taken with it. I then scrolled and it followed me right into the middle of a paragraph. Less taken, but cat's gonna cat.
8 hours ago
According to this article, Arc requires an account and sends Google's Firebase the hostname of every page you visit along with your user ID. Does this make Arc the least private web browser currently being used?
3 hours ago
I trashed Arc immediately after install when I found out having an account was mandatory. That seemed so silly, like toothbrushes-requiring-wifi absurd. How much moreso now.
2 hours ago
Truly. I was looking for a privacy respecting Chromium-based browser to use for Web MiniDisc (https://web.minidisc.wiki/) and came across some enthusiastic praise for Arc. I downloaded it and it immediately wanted me to create an account to even use it. How can that possibly respect my privacy? It went right in the trash.
2 hours ago
Every single thing I've heard about Arc browser has been a massive red flag. Turns out it was even worse than I thought!
4 hours ago
Thank you for sharing this. I have been using Arc since the first week of beta.
The fact that they don't even mentioned this bug/fix on any of their social media is quite alarming.
I enjoyed my time with Arc, but I can't possibly see myself continuing to use it after the way they handled this.
4 hours ago
Them acknowledging the issue, then fixing it within 28 hours isn't good enough for you? That kind of response makes me happy to continue using Arc.
33 minutes ago
I'm in the same boat as GP. Was invited early, loved the Arc UX far more than any other browser. I've recommended it to many people.
As many other comments have pointed out, this vulnerability is such a rookie mistake that I don't think I can trust them again after this without understanding what factors in their security/engineering culture led to it. Patching this one issue isn't enough.
2 hours ago
They afaik never said that they ‘fixed’ the issue where they’re sending Google your every visited url.
16 hours ago
This is such a fantastic bug. Firebase security rules (like with other BaaS systems like Firebase) have this weird default that is hard to describe. Basically, if I write my own API, I will set the userId of the record (a 'boost' in this case) to the userId from the session, rather than passing it in the request payload. It would never even occur to a developer writing their own API past a certain level of experience to let the client pass (what is supposed to be) their own userId to a protected API route.
On the other hand, with security rules you are trying to imagine every possible misuse of the system regardless of what its programmed use actually is.
10 hours ago
> On the other hand, with security rules you are trying to imagine every possible misuse of the system regardless of what its programmed use actually is.
Tbh you're doing it wrong if you go that way.
Default deny, and then you only have to imagine the legitimate uses.
3 hours ago
Fair enough, but my point is more conceptual, in that you still have to write `boost.userId == auth.userId` as an allowed pattern rather than making that pattern the only technically possible result, which is the convention in a traditional API.
5 hours ago
And then when you imagine the legitimate uses you have to imagine how allowing those legitimate uses could be misused. You always need to think red and blue.
11 hours ago
Can we have Arc added to the title of the post to better alert people who use or know people who use the browser?
4 hours ago
Huge agree. I didn’t realize this applied to me the first time I saw this story yesterday. It was the rename that got me to click.
Honestly I strongly feel the title should be “fundamental bug in Arc browser (CVE 123-4567)” or similar.
11 hours ago
Nice article, but this is hard to read without proper capitalization. My brain uses capitals to scan beginning and ending of text.
7 hours ago
I was similarly fascinated by the stylistic choices made here. No capitalisation of even any names, no hyphen in a compound adjective, but dots and commas and spaces are deemed necessary, also before "and" where the word clearly acts as separator already. If you look at the waveform of speech, we have no spaces between regular words so, if they want to eliminate unnecessary flourishes... though perhaps (since text largely lacks intonation markers) that makes it too unreadable compared to the other changes. All this is somehow at least as fascinating to me as the vulnerability being described!
6 hours ago
It’s just another dumb social media trend, like tYpiNg LiKe tHiS. Hopefully it too will phase out. Search for “lowercase trend” and you’ll find reports of it going years back, there’s nothing worth being fascinated about.
It has seeped into HN as well. Look closely and you’ll notice several commenters type like that.
5 hours ago
Strange to label a failure to capitalize words as a "dumb social media trend", as I'm sure people have been doing that for many years prior to social media.
And nobody tYpEs lIkE tHiS except when making a joke.
4 hours ago
> Strange to label a failure to capitalize words
It’s not a failure, it’s a conscious choice.
> as I'm sure people have been doing that for many years prior to social media.
But now it’s happening more frequently. That’s what “trend” means. It doesn’t mean it never happened before.
> And nobody tYpEs lIkE tHiS except when making a joke.
Just because you don’t know people like that, does not mean they don’t exist. The world is bigger than one person’s knowledge. I personally knew several teenagers who did it for all their communication, before smartphones. The speed at which they were able to do it was astounding.
5 hours ago
I use it to indicate tone. Proper capitalization and punctuation reads with a formal, cold tone.
lowercase without caps reads with a warmer, informal tone
there’s a Tom Scott Language Files video documenting it: https://www.youtube.com/watch?v=fS4X1JfX6_Q
3 hours ago
That's really interesting, I personally don't read those tone differences based on the casing. Neither approach carries different warmth or formality to me at all.
I wonder if this is a regional or generational thing?
3 hours ago
> I wonder if this is a regional or generational thing?
Generational is a good bet:
3 hours ago
> lowercase without caps reads with a warmer, informal tone
Personally, and I’m certain I’m not alone on this, it reads as annoying. It’s harder to follow and looks as if the writer didn’t care to do the bare minimum to make the text accessible and clear to the reader.
> there’s a Tom Scott Language Files video documenting it
Per that video (thank you for sharing), capital letters “make a paragraph easier to read” and “context matters” and “the conventions change fairly quickly” and typing in all lowercase is “sometimes okay”.
This is a post documenting a serious browser vulnerability, shared to the wide internet, not an informal conversation between buddies. Clarity matters. I don’t fully buy the tone argument and find words and sentence structure are more important. Take the following two examples:
> Just heard about your promotion, you beautiful bastard! Let’s go get pissed to celebrate, on me!
And:
> good afternoon mrs bartlet. the limousine will be available in twenty minutes. i would also like to apologise for my behaviour yesterday when i inadvertently insulted your husband it was a faux pas i promise will not be repeated. my resignation will be on your desk by noon.
I get that language evolves. You do you. Personally I hope this trend subsides like so many others before it. Maybe you don’t like to read properly structured text and prefer all lowercase. My preference is the reverse. And that’s OK, we don’t all have to be the same. I merely wish that people who prefer a certain style understand not everyone will see it the same way they do (and I’m including myself).
9 hours ago
If you were using Arc you could add a Boost for "Case: toggle between different capitalization settings - they will apply to all text on the webpage" [1]
/s
[1] https://resources.arc.net/hc/en-us/articles/19212718608151-B...
5 hours ago
Depending on the version you are using, you might not even need to add it, someone else might just add it for you!
8 hours ago
this made me laugh. 10/10
12 hours ago
$2000 is an insulting amount for such a huge vuln
2 hours ago
Judging by blog posts on HN, I got the impression that these vulnerabilities are often not rewarded at all, or rewarded by a minuscule amount. It almost seems like companies are begging hackers to sell these exploits. Perhaps because they aren't penalized by the regulator for breaches?
6 hours ago
Yeah, that was my first reaction. I'm really surprised they were cheap on this
10 hours ago
Yeah, you have to have some solid backbone not to sell this off to some malicious party for 20-50x that amount...
8 hours ago
Am I too optimistic? I feel like most regular people I know wouldn’t sell this off. Most people are not antisocial criminals by nature, and also wouldn’t know how to contact a “state actor” even if they wanted to.
8 hours ago
> also wouldn’t know how to contact a “state actor” even if they wanted to.
That's why brokerages like Zerodium exist - you can sell it to them, and they'll sell it onto state actors.
9 hours ago
A malicious party who wants a vulnerability in a browser effectively nobody uses?
3 hours ago
Arc was recommended to me by a friend. I deleted upon finding out I needed an account to use it. The excuse Arc gives is in case you want to sync. I'm capable of opting into that.
4 hours ago
> i discovered that there was a arc featured called easels, easels
> are a whiteboard like interface, and you can share them with people,
> and they can view them on the web. when i clicked the share button
> however, there was no requests in my mitmproxy instance, so whats
> happening here?
I thought this was novel, and assumed it was just something to do with websockets, so I switched to another, non-firebase-but-yes-websockets project and noticed it didn't work.
At the time, I debated moving calls to Firebase just so that I could work for free while I was on flights, but realized the ROI wasn't remotely there. Glad to finally have someone else acknowledge it happening, and give some insight as to why.
an hour ago
> firestore has a tendency to not abide by the system proxy settings in the Swift SDK for firebase, so going off my hunch, i wrote a frida script to dump the relevant calls.
As someone who has done some reverse engineering of macOS apps but haven't used anything beyond Charles' macOS proxy feature, this looks very painful. Is there a proxy app that maybe acts as a VPN so that basically every HTTP request is guaranteed to go through it, so that you don't need to write a hundred lines of bespoke Frida just to capture requests?
Edit: On second thought Proxifier should work for this purpose.
an hour ago
Instead of knee jerk firebase is bad, can we discuss how this could be abated properly with firebase rules for firestore?
Is this the rule that was missing for arcs boosts or whatever object?
```
match /objects/{object} {
// Allow create new object if user is authenticated
allow create: if request.auth != null;
// Allow update or delete document if user is owner of document
allow update, delete: if request.auth.uid == resource.data.ownerUID
}
3 hours ago
I roasted them on HN when they announced their product: Browsing the interest should not require an account. Its an "HTML Client", absolutely absurd. Hopefully they sit down and reconsider their choices.
13 hours ago
OP is talking about the Arc browser, not the Arc language, the Arc "Atomic React" project, or any of scores of other projects with that name.
12 hours ago
I'm definitely not the target audience... Even after reading the faq I have no idea what it does
7 hours ago
It's a browser (chromium based) with a really nice UI that people love, I am intrigued but haven't used it because I find the requirement to create an account off-putting.
7 hours ago
I don't understand what you do not get. In the link you sent they claim to be a privacy oriented web browser based on chromium
4 hours ago
For some time I asked why doesn't Arc let me sync my passwords.
After seeing this level of incompetence, I am happy they didn't attempt that.
Yet.
13 hours ago
Great research. As I've said elsewhere, Firebase's authentication model is inherently broken and causes loads of issues, and people would be better off writing a small microservice or serverless function that fronts Firebase.
Also, for anyone trying to read the article, they should put `/oneko.js` in their adblocker.
12 hours ago
> Also, for anyone trying to read the article, they should put `/oneko.js` in their adblocker.
Only if you hate cats, pixel art, or are easily distracted.
11 hours ago
I suspect it's that they hate are easily distracted (if "hate" falls outside of the series, such that it applies beyond just "cats")!
10 hours ago
Looks like someone already added it to uBlock Origin since I see no cat.
Or maybe the cat doesn't support Firefox...
9 hours ago
Did you enable the ui.prefersReducedMotion setting? That hides the cat from what I can tell
9 hours ago
Hmm not that I remember. But I have reduced motion enabled on my phone system wide and maybe that synced to my desktop on its own.
Which is scary come to think of it.
7 hours ago
Too late to edit... i just got around to checking and I do have system wide reduced motion and reduced transparency on this laptop. I'm sure I didn't set it up on there, just on the phone.
I think Apple is starting to sync too much...
6 hours ago
That seems like a perfectly reasonable thing to sync. Accessibility settings are exactly the type of thing you shouldn’t have to configure again and again on every device.
Either way, you can disable syncing of system settings.
5 hours ago
> That seems like a perfectly reasonable thing to sync. Accessibility settings are exactly the type of thing you shouldn’t have to configure again and again on every device.
No, because I disabled motion on my phone because the wiggling of icons on the main screen annoyed me, not because I have motion sickness. Nothing wiggles on the desktop (yet). This option doesn't even belong in accessibility IMO, it should be a "stop annoying me" section.
> Either way, you can disable syncing of system settings.
Where? The same spot where I can disable syncing the clipboard? I.e. somewhere deep in an undocumented file?
4 hours ago
Gotta be honest, the aggressive and unreasonable snark completely turns me off from helping you. It feels that regardless of the obviousness of the setting, you’ll find some nitpick to shout back at me about it. Since I don’t work for Apple or yourself, I don’t have to justify their choices or be the recipient of your unjustified and unprompted bad humour. I’m making a conscious choice to not soil my Friday on account of some internet rando. You’re on your own for this one.
I genuinely wish you a calm weekend and peaceful start of the week.
4 hours ago
Thanks for the martyrdom but last time I checked clipboard syncing it was a package with everything that gets synced, including sms forwarding etc on Apple. If there is a way to disable syncing granularly it’s not documented anywhere.
6 hours ago
Ah thanks, that explains why I don't see the cat everybody mentions
8 hours ago
I use uBlock Origin and Firefox (on Mac) and see the cat.
6 hours ago
Im dyslexic and I tend to use the pointer to follow what I am reading to help me. The cat was annoying as hell. I just had to hide the element in the DOM before i could read more than a few lines. Infuriating design choice to make it follow the pointer.
6 hours ago
It's really not hard to build this safely in firebase, this could've been authored the same way in node too. I think whoever authored this either majorly cut corners or just isn't experienced enough to understand how to write authenticated controllers like this. This should scare people away from this browser, it's such a basic thing to mess up and it shouldn't have happened.
4 hours ago
> Firebase's authentication model is inherently broken
I'm not very familiar with Firebase. In what way is it broken and what issues does it cause?
2 hours ago
User identity must be derived from security context, typically at the edge of the system.
But it’s so much easier for developers to think of userid as just another parameter, and they forget, and oops now they trust a random user-supplied parameter.
5 hours ago
Man I miss these kinds of detective posts on HN
3 hours ago
Upvote them, definitely something that makes HN special.
10 hours ago
the developers working with firebase should enforce common-sense document crud restrictions in the rules. that's just how firebase is. everyone knows it.
now, when talking about ARC BROWSER, i am seriously starting to doubt the competence of the team. I mean, if the rules are broken (no tests? no rules whatsoever?), what else is broken with ARC? are we to await a data leak from ARC?
any browser recommendations with proper vertical tabs and basically everything working like it does in ARC?
10 hours ago
Did you took a look at the zen browser? It's an arc clone based on Firefox https://zen-browser.app/
5 minutes ago
i'm rooting for them to succeed, but if the concern is security, switching your daily driver browser to a brand-new browser that's still in alpha is unfortunately not a good idea.
2 hours ago
I did. It’s like 20 % an Arc clone, and 80 % of UX papercuts. Like, you can’t have ‘add tab’ button on top when the new tab gets added to the bottom. Or that one sidebar button opens a side window to the right of the sidebar, while another below it opens the favorites to the left and moves the whole sidebar from underneath your mouse.
Looks like a minimal effort css restyle of Firefox.
6 hours ago
nice. will probably try it in the future.
but the for-some-reason-not-obvious revelation that it's just a product that some team somewhere is working on and the fact that a browser is an important piece of software brought me back to safari (not sure if joke's on me, but in this case I trust apple engineers to do a more thorough job in ensuring my data is secure).
5 hours ago
Zen and MS Edge have proper vertical tabs.
5 hours ago
Try Firefox with Sideberry extension.
5 hours ago
Brave. Vertical tabs, privacy, everything sync is e2ee (unlike eg. Edge).
Vivaldi may also be worth a look. Similar setup: User-oriented team, vertical tabs, e2ee sync. If you like a thorough browser history, I think Vivaldi keeps a more detailed browsing history than most other Chromium browsers.
2 hours ago
Brave is VC funded and needing to extract a billion of value. Just like Arc.
13 hours ago
while researching, i saw some data being sent over to the server, like this query everytime you visit a site
I'm not surprised in the least --- basically the vast majority of software these days is spyware. Looking at Arc's privacy page, it appears to be mainly marketing fluff similar to what I've seen from other companies. I have yet to find a privacy policy that says frankly "we only know your IP and time you downloaded the software, for the few weeks before the server logs are overwritten."
4 hours ago
Seeing "privacy focused" in any sort of mission statement is almost becoming an indicator of the opposite (I'm sure there's a word for this)
I'd rather a company have simple goals that can be explained in a sentence or two. No hand wavey BS like "we care about your privacy"
6 hours ago
> I have yet to find a privacy policy that says frankly "we only know your IP and time you downloaded the software, for the few weeks before the server logs are overwritten."
Not with those exact words, but that’s Alfred. Server connections are done only to validate the license and check for updates, and you can even disable that.
https://www.alfredapp.com/terms/
> Alfred only contacts our server when activating your Powerpack license in order to validate it, as well as periodically checking for new software updates. You can disable the software update check in the Update preferences, but we recommend keeping this enabled to ensure that you always have the latest version for security reasons and to make the most of the awesome new features!
11 hours ago
Yeah, and no mention of if they addressed this.
8 hours ago
For context: what is this 'arc' that the blog post mentions? I presumes it's not Paul Graham's Lisp dialect in this context?
EDIT: seems to be a browser or so?
8 hours ago
Yes it's a new browser who tries to change the UX from traditional browsers: https://arc.net/
11 hours ago
I wish we didn't have to sign up to use a browser in the future
9 hours ago
just don't use browsers that do
7 hours ago
The vulnerability has been patched, but I suppose the browser still makes a firebase query for every website you visit?
That's pretty bad, whether or not they track these requests, just seems wasteful.
8 hours ago
Very small bounty, but I honestly believe this arc thing won’t last long…
Browsers are hard and my only choice has been chrome and will remain so for the long foreseeable future.
When I was younger I would enjoy switching to firefox, opera, etc..
But I always came back to chrome because it just worked and always performed when I needed.
Chrome/chromium is the safest browser.
People tend to fall for the shiny new thing and then realize it was just hype.
Please be very careful about what software you choose to perform most of your activities.
The same applies to these “new ai IDEs” that keep popping up every other say.
8 hours ago
…Firefox as an alternative to Chrome!? Am I really that old!?
I used Chrome for years and years, right from when it first came out. Since then, I switched back to Firefox, and have used it for years. It works perfectly fine.
an hour ago
Browser is an user agent. Chrome is an advertisement company agent running on your PC, collecting data for that advertising company.
People often confuse these two, but they’re the polar opposites.
4 hours ago
> Chrome/chromium is the safest browser.
Why do you say that?
8 hours ago
I’m ashamed I fell for Arc and even recommended it to my friends, as someone whose job is exactly this but with Android apps :(
7 hours ago
They claim so much and their browsers' code is 100% proprietary so it's impossiblen to verify their lies. This is what triggered the bullshit detector in my head
6 hours ago
> They claim so much and their browsers' code is 100% proprietary
Far from me to defend Arc (I dislike it for several reasons) but it’s based on Chromium so it’s far from 100% proprietary. Don’t Edge, Vivaldi, and even Chrome have proprietary layers on top of the open-source Chromium?
9 hours ago
Start -> Control Panel -> Programs and Features -> Search 'Arc' -> Uninstall.
2 hours ago
...said Windows user.
15 hours ago
Article great, cute doge even better. Here's my upvote!
15 hours ago
The dog is actually a cat named Neko.
14 hours ago
To be clear, it's a cat named "cat" in Japanese.
12 hours ago
I got downvoted for calling it a dog??
Now that's ruff!!
8 hours ago
Good pun :)
HN tends to be a little hard on brief comments. My current understanding is that comments with little substance are totally acceptable provided they're good natured.
For example this comment by dang "There's nothing wrong with submitting a comment saying just "Thanks."" https://news.ycombinator.com/item?id=37251836.
Also from the guidelines "Comments should get more thoughtful and substantive, not less, as a topic gets more divisive": this post's topic doesn't likely qualify as divisive.
7 hours ago
Wait until you see that this got downvoted too. HN is a toxic place
3 hours ago
Yeah with this and the privacy zinger at the end its definitely time my monthlong experiment with arc comes to a close. Too bad that the thing theyre actually proud of, the tabbing UX, was actually really good.
2 hours ago
hmm gee I wonder was it worth to value the bug bounty at $2500 given the severity of both the bug and sheer lack skills of the browser company staff...it might even be a reputation destroyed event...
10 hours ago
This is a nice investigation and a great read. Sad that they don't normally do bug bounties. $2000 seems small considering the severity of this vulnerability. Though I guess the size and finances of the company is a factor. It takes some serious skills, effort and luck to discover something like that. It should be well compensated.
5 hours ago
How could one sell a vulnerability like this to let's say Mossad? Write them an email?
3 hours ago
Page them :)
an hour ago
eva (kibty.town) and mr. bruh never disappoint!