Was the post written for HN users only? I cannot see it on your blog page (https://arc.net/blog). It’s not posted on your twitter either. Your whole handling seems to be responding only if there is enough noise about it.

Hi Hursh, I'm Tom. A couple friends use Arc and they like it, so I had considered switching to it myself. Now, I won't, not really because of this vulnerability itself (startups make mistakes), but because you paid a measly $2k bounty for a bug that owns, in a dangerous way, all of your users. I won't use a browser made by a vendor who takes the security of their users this unseriously.

By the way, I don't know for sure, but given the severity I suspect on the black market this bug would have gone for a _lot_ more than $2k.

Comments further down are concerned that on each page load, you're sending both the URL and a(n identifiable?) user ID to TBC. You may want to comment on that, since I think it's reasonable to say that those of us using not-Chrome (I don't use Arc personally, but I'm definitely in the 1% of browser users) are likely to also be the sort of person concerned with privacy. Vulnerabilities happen, but sending browsing data seems like a deliberate design choice.

There isn't really anything you can do to convince me that your team has the expertise to maintain a browser after this. It doesn't matter that you have fixed it, your team is clearly not capable of writing a secure browser, now or ever.

I think this should be a resigning matter for the CTO.

Will you be increasing the bug bounty payout? $2,000 is a tiny fraction of what this bug is worth, I hope you will pay the discoverer a proper bounty.

You've been handed a golden opportunity to set the right course.

> including moving off Firebase

Firebase is not to blame here. It's a solid technology which just has to be used properly. Google highlights the fact that setting up ACLs is critical and provides examples on how to set them up correctly.

If none of the developers who were integrating the product into Arc bothered about dealing with the ACLs, then they are either noobs or simply didn't care about security.

> We’re also bolstering our security team, and have hired a new senior security engineer.

Is there a reason why you don’t have any security-specific positions open on your careers site?

Until this individual comes back and responds to at least a few of the questions/comments, I don't think we should even pay attention to this marketing-dept-written post. They basically want this to go away, and answering any questions would raise more issues most likely, so they just seemed to have done the bare minimum and left it at that. It's 3 hours later now, they might as well have not even posted anything here.

$2000 is an absurdly small bounty here - you should up that

I think the bigger question is: Why are you violating your own security policy by keeping track on what we browse. I though my browsing is private and hidden away from you but if you store my browsing data in your firebase this is not acceptable at all.

> "...the hypothetical depth of this vulnerability is unacceptable."

What is also unacceptable is to pay 2000 dollars for something like this AND have to create user accounts to use your browser. Will definitely stay away from it.

no mention of the pitiful bounty reward (2000 usd). only sorry and thanks. Please award this person a proper bounty.

Are you going to address the part where you send visited websites to Firebase which goes against your privacy policy of not tracking visited URLs?

Only $2k for an exploit like this?

I would like to respectfully provide the suggestion of allowing for the use of Arc without being signed into an account. Although I understand browser/device sync is part of most modern browsers, and the value it provides, normally it is a choice to use this feature. Arc still provides a lot of attractive features, even without browser sync on.

I like Arc, and I don’t want to pile on: God knows I’ve written vulnerable code.

To explore a constructive angle both for the industry generally and the Browser Company specifically: hire this clever hacker who pwned your shit in a well-remunerated and high-profile way.

The Browser Company is trying to break tradition with a lot of obsolete Web norms, how about paying bullshit bounties under pressure rather than posting the underground experts to guard the henhouse.

If the Browser Company started a small but aggressive internal red team on the biohazard that is the modern web?

I’ll learn some new keyboard shortcuts and I bet a lot of people will.

So when there are near weekly reports of websites being compromised due to horrid Firebase configuration, did absolutely no one on your teams raise a red flag? Is there some super low-pri ticket that says "actually make sure we use ACLs on Firebase"?

>Arc brought order to the chaos that was my online life. There’s no going back.

Bringing the chaos back like it's 1999.

I misread your name as Hush which is kind of fitting considering how you're trying to make this go away

Hursh / ha470, where did you go? There are lots of good questions in the replies to your thread, yet you went dark immediately after posting more than 8 hours ago. It's hard to imagine what could be more pressing than addressing people's concerns after a major security incident such as this.

To be honest, I'm a bit disappointed. For future reference, this doesn't seem like a good strategy to contain reputational damage.

remember when reading this that this guy's company is valued at a billion dollars and his comp is 10x yours if not more. we live in a meritocracy

ngl this is pretty pathetic. the massive security hole is one thing but you're just gonna gloss over violating your own privacy policy?

Bro you should be requiring accounts to download HTML. Come on man.

Pay the guy properly. $2000 is an insult. It should be $50k. This kind of bug could be sold for 100-200k easily.

[flagged]

Thanks for the response.

While people might nitpick on how things were handled, the fact that you checked if anyone was affected and fixed it promptly is a good thing.

As someone with an app built on firebase, yes. As the author rightly points out, it's very easy to misconfigure, but basic security practices like these are highlighted in bright, bold warning text in the Firebase docs.

Security rules are meant to be taken seriously, and it's your only line of defense.

It's interesting to see software engineers going from rolling their own auth, to not rolling their own auth, to not even noticing this quite blatant security problem.

It doesn't matter if you roll your own auth or not, you need to understand a very basic fundamental of it all: never trust the client.

At the end of the day this is an amateur mistake

God I wish. More than one of my coworkers has made this exact mistake with our (thankfully internal) front-end apps.

A security plan which depends on any person never making an amateur mistake, is an amateur mistake.

Agreed, if I understand correctly the fix to this issue would be the following rules inside of a "match" statement in firestore.rules which is plainly documented as firebase firestore security 101:

```

// Allow create new object if user is authenticated

allow create: if request.auth != null;

// Allow update or delete document if user is owner of document

allow update, delete: if request.auth.uid == resource.data.ownerUID

```

This is what happens when you hire solely based on leetcode skill. A shit-tier engineer can master leetcode within months, but a good engineer will probably struggle at Find Nth Smallest Sum problem because he spends more time reading and thinking about code.

Leetcode is a fucking joke to the industry, gone are the days when you actually had good code with devs who spent time thinking about information architecture. In my experience boomer devs are actually the only ones who write idiomatic code. Millennial and Gen-z devs are the worst, they have no understanding beyond basic function calling.

the whole idea of firebase is flawed as logic that belongs to a server is now on the client side. I don't know much about security but that sounds like making any centralized rule (eg security) hard to implement. It also tends to expose more internal logic than the client needs to know, which is bad in both software design and security.

As I didn’t get that, it seems like the dev honors prefers-reduced-motion, and doesn’t display it in that case. Excellent of them, give joy to those who want it, prevent annoyances for those who hate them.

It's doing great for being a 35-year-old cat!

https://en.wikipedia.org/wiki/Neko_(software)

On Debian, you can install and run the cat with

    sudo apt install oneko
    oneko &

It's cute but I just can't focus on the article knowing the cat is gonna move every time I move my mouse or scroll. I popped open my console and deleted him. Sorry, kitty

And here I was wishing it would go away and trying to find a way to hide it because on my phone it was always covering text. Firefox reader mode worked.

I found it, like an actual cat, extremely distracting.

For the curious, that specific cat goes back to 1989:

https://en.wikipedia.org/wiki/Neko_(software)

On desktop it follows the mouse no need to click.

I did not. On the firefox mobile browser it was just using screen space.

It is distracting and annoyed me, I stopped reading because of it.

I guess it's removed? I don't see it. On Windows Chrome.

I trashed Arc immediately after install when I found out having an account was mandatory. That seemed so silly, like toothbrushes-requiring-wifi absurd. How much moreso now.

I think OperaGX wins that award

I'm also left wondering: How broken would Arc be, if Firebase was to go down?

When I downloaded it a few months ago and it required an account to even use it, my gut feeling was that I should just stick with Firefox.

They don't encrypt the data they send via Firebase?

I mean, even Google suggests doing this with sensitive data.

"Arc is the Chrome replacement I’ve been waiting for." [1]

> https://arc.net/

I guess now we know why they frame it that way.

> On the other hand, with security rules you are trying to imagine every possible misuse of the system regardless of what its programmed use actually is.

Tbh you're doing it wrong if you go that way.

Default deny, and then you only have to imagine the legitimate uses.

For inserts yes, but for updates I've frequently seen cases where people just stuff the whole request into their ORM or document store. It is pretty easy to think "the owner can update the document" without realizing that there are some fields (that the official client doesn't set) that shouldn't be updated (like the owner or created timestamp).

The correct solution is likely default-deny auth for every single field. Then you at least have to explicitly make the owner field writable, and hopefully consider the impact of transfering this object to another user.

Can you explain how you could get someone else's user id? I get that this is still a big vulnerability but am trying to understand how that would happen.

Huge agree. I didn’t realize this applied to me the first time I saw this story yesterday. It was the rename that got me to click.

Honestly I strongly feel the title should be “fundamental bug in Arc browser (CVE 123-4567)” or similar.

On the other hand, this is pretty impressive:

    aug 25 5:48pm: got initial contact over signal (encrypted) with arc co-founder hursh
    aug 25 6:02pm: vulnerability poc executed on hursh's arc account
    aug 25 6:13pm: added to slack channel after details disclosed over encrypted format
    aug 26 9:41pm: vulnerability patched, bounty awarded
    sep 6 7:49pm: cve assigned (CVE-2024-45489)

EDIT: Oh, the date changed; so it was 28 hours until fix. Still decent; and half an hour from initial contact to "Join our slack channel" is incredibly fast response time.

The mandatory account just to try Arc was always a massive red flag to me - and led to me never trying it. Now I’m glad I didn’t!

Honestly I’ve always considered Arc to be a wolf in sheep’s clothing, especially when it comes to privacy.

50-60mm cash at 500mm (!) valuation and no business model is a big red flag when it comes to something as important, as personal as a browser. This is not a charity. Someone, somehow will have to pay for that.

You’d think that a company shipping a browser would pay a little more attention to security rules.

Also, shame on firebase for not making this a bit more idiot proof.

And really? $2500? That’s it? You could’ve owned literally every user of Arc… The NSA would’ve paid a couple more zeros on that.

Also, firebase? seriously? this is a company with like, low level software engineers on payroll, and they are using a CRUD backend in a box. cost effective I guess? I wouldn't even have firebase on the long list for a backend if I were architecting something like this. Especially when feature-parity competitors like Supabase just wrap a normal DBMS and auth model.

This convinced me to never use Arc again. I created a small guide to migrate from it to an open-source alternative: https://gist.github.com/clouedoc/4acc8355782f394152d8ce19cea...

TL;DR: it's not possible to export data from Arc, but it's possible to copy-paste the folder to a Chrome profile, and Firefox and other browsers will detect&import it.

What is Arc?

I agree & disagree.

Browsers are very important part of our life. If someone compromises our browsers , they basically compromise every single aspect of privacy and can lead to insane scams.

And because arc browser is new , they wanted to build fast and so they used tools like firebase / firestore to be capable of moving faster (they are a startup)

Now I have read the article but I am still not sure how much of this can be contributed to firebase or arc

On the following page from same author (I think) https://env.fail/posts/firewreck-1 , tldr states

- Firebase allows for easy misconfiguration of security rules with zero warnings

- This has resulted in hundreds of sites exposing a total of ~125 Million user records, including plaintext passwords & sensitive billing information

So because firebase advocates itself to the developers as being safe yet not being safe , I think arc succumbed to it.

firestore has a tendency to not abide by the system proxy settings in the Swift SDK for firebase, so going off my hunch,

Also , you say that you have been convinced to never use arc again.

Did you know that chrome gives an unfair advantage to its user sites by giving system information (core usage etc.) and some other things which are not supposed to be seen by browsers only to the websites starting with *.google.com ?

this is just recently discovered , just imagine if something more serious is also just waiting in the shadows Couldn't this also be considered a major security vulnerability just waiting to be happen if some other exploit like this can be discovered / google.com is leaked and now your cpu information and way more other stuff which browsers shouldn't know is with a malicious threat actor ?

Them acknowledging the issue, then fixing it within 28 hours isn't good enough for you? That kind of response makes me happy to continue using Arc.

Judging by blog posts on HN, I got the impression that these vulnerabilities are often not rewarded at all, or rewarded by a minuscule amount. It almost seems like companies are begging hackers to sell these exploits. Perhaps because they aren't penalized by the regulator for breaches?

Yeah, that was my first reaction. I'm really surprised they were cheap on this

Yeah, you have to have some solid backbone not to sell this off to some malicious party for 20-50x that amount...

Young people (like me) use lowercaps like that all the time. Around 50% of the young people I know purposefully turn off auto-caps on their phone.

Why? I really couldn't say. I think we just like the feel of it. The only reason I type with proper capitalization on HN and my blog is because I know older people read it.

I was similarly fascinated by the stylistic choices made here. No capitalisation of even any names, no hyphen in a compound adjective, but dots and commas and spaces are deemed necessary, also before "and" where the word clearly acts as separator already. If you look at the waveform of speech, we have no spaces between regular words so, if they want to eliminate unnecessary flourishes... though perhaps (since text largely lacks intonation markers) that makes it too unreadable compared to the other changes. All this is somehow at least as fascinating to me as the vulnerability being described!

If you were using Arc you could add a Boost for "Case: toggle between different capitalization settings - they will apply to all text on the webpage" [1]

/s

[1] https://resources.arc.net/hc/en-us/articles/19212718608151-B...

It's a little worse than that. From now on, blackhats will have a favorite #1 browser to pentest, at least for the next few weeks.

And who's going to take the bet that they'll find nothing? Not me.

> Also, for anyone trying to read the article, they should put `/oneko.js` in their adblocker.

Only if you hate cats, pixel art, or are easily distracted.

It's really not hard to build this safely in firebase, this could've been authored the same way in node too. I think whoever authored this either majorly cut corners or just isn't experienced enough to understand how to write authenticated controllers like this. This should scare people away from this browser, it's such a basic thing to mess up and it shouldn't have happened.

> Firebase's authentication model is inherently broken

I'm not very familiar with Firebase. In what way is it broken and what issues does it cause?

https://arc.net/faq

I'm definitely not the target audience... Even after reading the faq I have no idea what it does

"in case" is good excuse if the account is optional. Which is not case here.

You seem surprised. This is the MO of many tech companies.

Probably the line of thinking is that security can be a back burner issue until product market fit is achieved.

Doesn't matter if you build the most secure product if nobody is using it, right? Where that breaks down is that a browser MUST be relatively secure, otherwise you've given up the whole ballgame.

> "Privacy first" browser's are marketing jargon today

A glance at Arc's privacy policy makes it clear they aren't privacy anything [1]. (Contrast their device and product usage data sections with Kagi's [2].)

[1] https://arc.net/privacy#what-personal-data-do-we-collect-and...

[2] https://help.kagi.com/orion/privacy-and-security/respecting-...

That has been the reason I've never given Arc a shot. It's unacceptable.

Did you took a look at the zen browser? It's an arc clone based on Firefox https://zen-browser.app/

Try Firefox with Sideberry extension.

Zen and MS Edge have proper vertical tabs.

Brave. Vertical tabs, privacy, everything sync is e2ee (unlike eg. Edge).

Vivaldi may also be worth a look. Similar setup: User-oriented team, vertical tabs, e2ee sync. If you like a thorough browser history, I think Vivaldi keeps a more detailed browsing history than most other Chromium browsers.

https://zen-browser.app/

Seeing "privacy focused" in any sort of mission statement is almost becoming an indicator of the opposite (I'm sure there's a word for this)

I'd rather a company have simple goals that can be explained in a sentence or two. No hand wavey BS like "we care about your privacy"

> I have yet to find a privacy policy that says frankly "we only know your IP and time you downloaded the software, for the few weeks before the server logs are overwritten."

Not with those exact words, but that’s Alfred. Server connections are done only to validate the license and check for updates, and you can even disable that.

https://www.alfredapp.com/terms/

> Alfred only contacts our server when activating your Powerpack license in order to validate it, as well as periodically checking for new software updates. You can disable the software update check in the Update preferences, but we recommend keeping this enabled to ensure that you always have the latest version for security reasons and to make the most of the awesome new features!

Yeah, and no mention of if they addressed this.

Upvote them, definitely something that makes HN special.

Some flights have a free tier of wifi that allows messaging apps. Google Voice and Google Hangouts usually work on those so wouldn't be surprised if some other Google services make it through.

The security page explicitly claims that Arc doesn't log what you're doing, giving URLs as an example, but this vulnerability claims every URL is being sent up to Firebase.

just don't use browsers that do

With Brave you don't need to, even for sync.

...said Windows user.

What about S3, you don't really need a file storage provider either?

> are javascript devs really that afraid

You might be afraid of JS devs :P Anyway has nothing to do with language, even if it was a super c0ol Ruby-on-Rails app with Active Record and SQL db on a server you manage it's still common to have some stuff in NoSQL for fast access to live data, caches, logs, etc. Most companies at scale will have both SQL and NoSQL dbs in areas. So if you're already using S3 for files, code on GitHub, storing keys in 1Pass, why not use a Firebase or MongoDB for high traffic live data? Especially if they offer built-in scaling and geo deploy options.

This scenario I laid out is kinda to your point of "don't anchor your entire company on it" - the only point I'm trying to add is that you can also use these tools without the company being "anchored" on it, and they could have still ran into the same issue as Arc.

To add to u/ibash's comment, mitmproxy correctly implements a macOS network extension: https://mitmproxy.org/posts/local-redirect/macos/

I assume you'll have to install a root cert in order to introspect HTTPS traffic though.

mitmproxy.org can act as a wireguard vpn iirc

Yes it's a new browser who tries to change the UX from traditional browsers: https://arc.net/

> If I only care about the vertical tabs, workspaces, and a (decent) mobile app are there any good equivalents right now?

I use Firefox mostly because of Sideberry (which does vertical tree-style tabs) which also integrates with "containers", so you can have something similar to workspaces but more isolation. Otherwise there is also "profiles" that probably offer even more isolation between the different profiles.

Firefox with extensions? The current vertical tabs extensions are not nearly as nice, but Mozilla is working on native vertical tabs. Syncing and Workspaces are already better with Firefox then with Arc.

I just use Brave with a shitton of profiles. That does cause problems for mobile use since no Android browser dev has bothered with proper profiles or ability to install multiple copies of the browser, except for Google I guess.

I use Firefox with Sidebery for vertical (specifically, tree style) tabs, plus a userChrome.css to hide the native horizontal tabs. Firefox has mobile apps, and the Android app supports (some) browser extensions.

It works, it's boring, and it doesn't try to shove gimmicky features in my face.

Even in Safari, you can remove tabs from toolbar (but it is not possible to hide toolbar itself) and have them in sidebar - there are also tab groups.

But experience is probably different.

…Firefox as an alternative to Chrome!? Am I really that old!?

I used Chrome for years and years, right from when it first came out. Since then, I switched back to Firefox, and have used it for years. It works perfectly fine.

Browser is an user agent. Chrome is an advertisement company agent running on your PC, collecting data for that advertising company.

People often confuse these two, but they’re the polar opposites.

> Chrome/chromium is the safest browser.

Why do you say that?

https://www.mossad.gov.il/contact-us/en

Interestingly enough, contains a field for entering your Father's name (but not your mother's).

Page them :)

Maybe I am just stupid, but this *super* smells of arc being able to inject whatever they want in to literally any of your websites and this dude just figured out that he could also do that.

This does not seem like a browser capability I want.

What sort of data does Arc track? Our plain-english Privacy Policy summarizes it well:

We don’t know which websites you visit

Yea if everything else is not enough of a red flag here, the fact that they are sending every single website you visit to Firebase — against stated privacy policies — is the mother of all red flags.

People say they like arc for the UI and there are all alternatives, but do you really want to risk someone stealing your bank creds and stealing all your money for some fancy UI?

[dead]

I've got a different take. If they're in the VC phase, that means they are not self sufficient. The amount of funding that they've raised is no indication what-so-ever of a) how much of that funding has actually been realized / received b) what their overhead is and c) what their overall financial picture looks like.

I do wish that more companies would take privacy and security seriously. And bug bounty programs are great. But they're not always within the budget of companies and the fact that they decided to award this security researcher regardless of having no such program is a massive win in my opinion and shows how much they value this particular contribution.

This is 100% company culture, probably the ones that decide this kind of things are not technical or don't understand how important is this.

[flagged]

They claim so much and their browsers' code is 100% proprietary so it's impossiblen to verify their lies. This is what triggered the bullshit detector in my head

The dog is actually a cat named Neko.

https://en.wikipedia.org/wiki/Neko_(software)

I got downvoted for calling it a dog??

Now that's ruff!!

You can use some Arc AI features to summarize it for you :)