Gaining access to anyones Arc browser without them even visiting a website

1469 pointsposted 10 months ago
by xyzeva

289 Comments

ha470

10 months ago

I’m Hursh, cofounder and CTO of The Browser Company (the company that makes Arc). Even though no users were affected and we patched it right away, the hypothetical depth of this vulnerability is unacceptable. We’ve written up some technical details and how we’ll improve in the future (including moving off Firebase and setting up a proper bug bounty program) here: https://arc.net/blog/CVE-2024-45489-incident-response.

I'm really sorry about this, both the vuln itself and the delayed comms around it, and really appreciate all the feedback here – everything from disappointment to outrage to encouragement. It holds us accountable to do better, and makes sure we prioritize this moving forward. Thank you so much.

ayhanfuat

10 months ago

Was the post written for HN users only? I cannot see it on your blog page (https://arc.net/blog). It’s not posted on your twitter either. Your whole handling seems to be responding only if there is enough noise about it.

sushid

10 months ago

Hursh, can you please respond to the above commenter? As an early adopter, I find it fairly troubling to see a company that touts transparency hide the blog post and only publicly "own up to it" within the confines of a single HN thread.

user

10 months ago

[deleted]

tomjakubowski

10 months ago

Hi Hursh, I'm Tom. A couple friends use Arc and they like it, so I had considered switching to it myself. Now, I won't, not really because of this vulnerability itself (startups make mistakes), but because you paid a measly $2k bounty for a bug that owns, in a dangerous way, all of your users. I won't use a browser made by a vendor who takes the security of their users this unseriously.

By the way, I don't know for sure, but given the severity I suspect on the black market this bug would have gone for a _lot_ more than $2k.

poincaredisk

10 months ago

Selling vulnerability on the black market is immoral and may be illegal. The goal of bug bounty programs was initially to signal "we won't sue white hat researchers who disclose their findings to us", when did it evolve into "pay me more than criminals would, or else"?

JumpCrisscross

10 months ago

> because you paid a measly $2k bounty for a bug that owns, in a dangerous way, all of your users

The case is redeemable. It may still be an opportunity if handled deftly. But it would require an almost theatrical display of generosity to the white hat (together, likely, with a re-constituting of the engineering team).

ljm

10 months ago

You have no idea but you suspect someone could have made more?

tengbretson

10 months ago

So you're not going to use Arc. How much do you pay for the browser you do use?

keepamovin

10 months ago

Should have at least paid €1 per user. Eh, maybe that’s what they did?

rachofsunshine

10 months ago

Comments further down are concerned that on each page load, you're sending both the URL and a(n identifiable?) user ID to TBC. You may want to comment on that, since I think it's reasonable to say that those of us using not-Chrome (I don't use Arc personally, but I'm definitely in the 1% of browser users) are likely to also be the sort of person concerned with privacy. Vulnerabilities happen, but sending browsing data seems like a deliberate design choice.

mthoms

10 months ago

I think that is addressed in the post. Apparently the URL was only sent under certain conditions and has since been addressed:

>We’ve fixed the issues with leaking your current website on navigation while you had the Boost editor open. We don’t log these requests anywhere, and if you didn’t have the Boosts editor open these requests were not made. Regardless this is against our privacy policy and should have never been in the product to begin with.

Given the context (boosts need to know the URL they apply to after all) this indeed was a "deliberate design choice" but not in the manner you appear to be suggesting. It's still very worrisome, I agree.

tyho

10 months ago

There isn't really anything you can do to convince me that your team has the expertise to maintain a browser after this. It doesn't matter that you have fixed it, your team is clearly not capable of writing a secure browser, now or ever.

I think this should be a resigning matter for the CTO.

avarun

10 months ago

And what, you’re going to find them a new CTO? What kind of magical world do you live in where problems are solved by leaders resigning, instead of stepping up and taking accountability?

pembrook

10 months ago

Surprise surprise, turns out it takes a looong time for every software startup to finally strip out all the hacky stuff from their MVP days. Apparently nobody on this startup community forum has ever built a startup before.

Pro tip: if stuff like this violently upsets you, never be an early adopter of anything. Wait 5-10 years and then make your move.

Personally, I expect stuff like this from challenger alternatives, this is the way it should be. There is no such thing as a new, bug-free software product. Software gets good by gaining adoption and going through battle testing, it’s never the other way around like some big company worker would imagine.

Insanity

10 months ago

Well, the current team perhaps.

But it's also likely part of the startup mentally of "move fast and break things", which is not entirely compatible with the goal of the browser.

bloopernova

10 months ago

Will you be increasing the bug bounty payout? $2,000 is a tiny fraction of what this bug is worth, I hope you will pay the discoverer a proper bounty.

You've been handed a golden opportunity to set the right course.

JumpCrisscross

10 months ago

> $2,000 is a tiny fraction of what this bug is worth

The Browser Company raises $50mm at a $550mm post-money valuation in March [1]. They’ve raised $125mm altogether.

Unless they’re absolute asshats, they’ll increase the bug payout. But people act truly when they don’t think they’re being watched—a vulnerability of this magnitude was worth $2k to this company. That’s…eyebrow raising.

[1] https://techcrunch.com/2024/03/21/the-browser-company-raises...

Laaas

10 months ago

Any new vulnerability will be sold to the highest bidder and/or exploited instead of being reported for the bug bounty because of this.

user

10 months ago

[deleted]

qwertox

10 months ago

> including moving off Firebase

Firebase is not to blame here. It's a solid technology which just has to be used properly. Google highlights the fact that setting up ACLs is critical and provides examples on how to set them up correctly.

If none of the developers who were integrating the product into Arc bothered about dealing with the ACLs, then they are either noobs or simply didn't care about security.

com2kid

10 months ago

Saying Google provides examples of being rather nice about it.

Firebase ACLs are a constant source of vulnerabilities largely because they are confusing and don't have enough documentation around them.

tanx16

10 months ago

> We’re also bolstering our security team, and have hired a new senior security engineer.

Is there a reason why you don’t have any security-specific positions open on your careers site?

ha470

10 months ago

We did but we closed the roles by hiring folks. They just haven’t joined yet.

zo1

10 months ago

Until this individual comes back and responds to at least a few of the questions/comments, I don't think we should even pay attention to this marketing-dept-written post. They basically want this to go away, and answering any questions would raise more issues most likely, so they just seemed to have done the bare minimum and left it at that. It's 3 hours later now, they might as well have not even posted anything here.

exdsq

10 months ago

$2000 is an absurdly small bounty here - you should up that

radicaldreamer

10 months ago

50k or 100k would be far more appropriate given the severity of this issue. But overall, this makes me think there's probably a lot more vulnerabilities in Arc that are undiscovered/unpatched.

Also, there's the whole notion of every URL you visit being sent to Firebase -- were these logged? Awful for a browser.

ha470

10 months ago

Ya this is fair! Honestly this was our first bounty ever awarded and we could have been more thoughtful. We’re currently setting up a proper program and based on that rubric will adjust accordingly.

FleetAdmiralJa

10 months ago

I think the bigger question is: Why are you violating your own security policy by keeping track on what we browse. I though my browsing is private and hidden away from you but if you store my browsing data in your firebase this is not acceptable at all.

liendolucas

10 months ago

> "...the hypothetical depth of this vulnerability is unacceptable."

What is also unacceptable is to pay 2000 dollars for something like this AND have to create user accounts to use your browser. Will definitely stay away from it.

_kidlike

10 months ago

no mention of the pitiful bounty reward (2000 usd). only sorry and thanks. Please award this person a proper bounty.

__turbobrew__

10 months ago

Are you going to address the part where you send visited websites to Firebase which goes against your privacy policy of not tracking visited URLs?

markandrewj

9 months ago

I would like to respectfully provide the suggestion of allowing for the use of Arc without being signed into an account. Although I understand browser/device sync is part of most modern browsers, and the value it provides, normally it is a choice to use this feature. Arc still provides a lot of attractive features, even without browser sync on.

benreesman

10 months ago

I like Arc, and I don’t want to pile on: God knows I’ve written vulnerable code.

To explore a constructive angle both for the industry generally and the Browser Company specifically: hire this clever hacker who pwned your shit in a well-remunerated and high-profile way.

The Browser Company is trying to break tradition with a lot of obsolete Web norms, how about paying bullshit bounties under pressure rather than posting the underground experts to guard the henhouse.

If the Browser Company started a small but aggressive internal red team on the biohazard that is the modern web?

I’ll learn some new keyboard shortcuts and I bet a lot of people will.

nixosbestos

10 months ago

So when there are near weekly reports of websites being compromised due to horrid Firebase configuration, did absolutely no one on your teams raise a red flag? Is there some super low-pri ticket that says "actually make sure we use ACLs on Firebase"?

kernal

10 months ago

>Arc brought order to the chaos that was my online life. There’s no going back.

Bringing the chaos back like it's 1999.

msephton

10 months ago

I misread your name as Hush which is kind of fitting considering how you're trying to make this go away

metadat

10 months ago

Hursh / ha470, where did you go? There are lots of good questions in the replies to your thread, yet you went dark immediately after posting more than 8 hours ago. It's hard to imagine what could be more pressing than addressing people's concerns after a major security incident such as this.

To be honest, I'm a bit disappointed. For future reference, this doesn't seem like a good strategy to contain reputational damage.

FactKnower69

10 months ago

remember when reading this that this guy's company is valued at a billion dollars and his comp is 10x yours if not more. we live in a meritocracy

ycombinatrix

10 months ago

ngl this is pretty pathetic. the massive security hole is one thing but you're just gonna gloss over violating your own privacy policy?

exabrial

10 months ago

Bro you should be requiring accounts to download HTML. Come on man.

mirzap

10 months ago

Pay the guy properly. $2000 is an insult. It should be $50k. This kind of bug could be sold for 100-200k easily.

JumpCrisscross

10 months ago

> This kind of bug could be sold for 100-200k easily

Maybe not. If the browser is that buggy, there may be plenty of these lying around. The company itself is pricing the vulnerability at $2k. That should speak volumes to their internal view of their product.

user

10 months ago

[deleted]

user

10 months ago

[deleted]

ibash

10 months ago

Thanks for the response.

While people might nitpick on how things were handled, the fact that you checked if anyone was affected and fixed it promptly is a good thing.

ziddoap

10 months ago

It is not really nitpicking, given the severity.

Being prompt on a vulnerability of this magnitude should be considered "meeting the standard" at best.

metadat

10 months ago

The CTO and co-founder didn't check in on any of the concerns, completely disappeared after leaving a heartfelt comment. This comes off as incredibly disingenuous.

zachrip

10 months ago

I just want to call out that there is a lot of blame put on firebase here in the comments but I think that's just people parroting stuff they don't actually know about (I don't use firebase, I have tried it out in the past though). This isn't some edge case or hard to solve thing in firebase, this is the easy stuff.

The real issue here is that someone wrote an api that trusted the client to tell it who they were. At the end of the day this is an amateur mistake that likely took a 1 line diff to fix. Don't believe me? Check out the docs: https://firebase.google.com/docs/rules/rules-and-auth#cloud-... - `request.auth` gives you the user id you need (`request.auth.uid`).

tr3ntg

10 months ago

As someone with an app built on firebase, yes. As the author rightly points out, it's very easy to misconfigure, but basic security practices like these are highlighted in bright, bold warning text in the Firebase docs.

Security rules are meant to be taken seriously, and it's your only line of defense.

swatcoder

10 months ago

> bold warning text in the Firebase docs.

Unfortunately, we currently have an industry where highly paid "engineers" unironically believe that their job can be done by reading/watching random tutorials, googling for StackOverflow answers, and pasting code from gists.

Attentively reading documentation or developing a mental model of how your tools work so that you know how they are built to be handled does not make it on to any job listing bullet points. It presumably fell off the bottom in favor of team spirit or brand enthusiasm or whatever.

How many tutorials, community answers, and gists do you think conveyed that warning?

bichiliad

10 months ago

I think a system that makes it this easy to shoot yourself in the foot is probably not a great system. Documentation is important, and I'm glad it's clear and obvious, but humans make mistakes. You'd hope that the mistakes have less dire consequences.

rakoo

10 months ago

> it's very easy to misconfigure, but basic security practices like these are highlighted in bright, bold warning text in the Firebase docs.

I'm sorry but if the whole design is "one big database shared with everyone and we must manually configure the database for auth" there is a problem that's deeper than just having to read the doc. It means the basic understanding of what it means to keep data as private as possible is not understood. A shared database only works when the server accesses it, not when client has direct access.

What Arc needs is to segregate each user's data in a different place, in the design of the database, not as part of configuration of custom code. Make it impossible to list all user's data, or even users. When, not if, an id is guessed, related data becomes accessible by someone else; make it so that someone else still can't read it, or can't replace it.

wredue

10 months ago

Nobody reads docs dude. They copy and paste stack overflow answers, and now, copilot answers, which is going to be based on stack overflow ultimately anyway.

bcrosby95

10 months ago

It's interesting to see software engineers going from rolling their own auth, to not rolling their own auth, to not even noticing this quite blatant security problem.

It doesn't matter if you roll your own auth or not, you need to understand a very basic fundamental of it all: never trust the client.

NewJazz

10 months ago

At the end of the day this is an amateur mistake

God I wish. More than one of my coworkers has made this exact mistake with our (thankfully internal) front-end apps.

make3

10 months ago

I guess we're not always professionals at all the work that we do, if that makes sense

albedoa

10 months ago

Are you defining amateurs as people who are not your coworkers? It can still be an amateur mistake.

knowitnone

10 months ago

If it's internal, did they really need to have auth?

kerkeslager

10 months ago

A security plan which depends on any person never making an amateur mistake, is an amateur mistake.

kfarr

10 months ago

Agreed, if I understand correctly the fix to this issue would be the following rules inside of a "match" statement in firestore.rules which is plainly documented as firebase firestore security 101:

```

// Allow create new object if user is authenticated

allow create: if request.auth != null;

// Allow update or delete document if user is owner of document

allow update, delete: if request.auth.uid == resource.data.ownerUID

```

GVRV

10 months ago

Didn't they already have these rules in place? And the vulnerability was when the owner was updating the resource to have a new owner?

cutemonster

10 months ago

Is there no Allow-read? Edit: Yes,

    allow read, update, delete: if request.auth != null && request.auth.uid == userId;

vertical91

10 months ago

This is what happens when you hire solely based on leetcode skill. A shit-tier engineer can master leetcode within months, but a good engineer will probably struggle at Find Nth Smallest Sum problem because he spends more time reading and thinking about code.

Leetcode is a fucking joke to the industry, gone are the days when you actually had good code with devs who spent time thinking about information architecture. In my experience boomer devs are actually the only ones who write idiomatic code. Millennial and Gen-z devs are the worst, they have no understanding beyond basic function calling.

nsonha

10 months ago

the whole idea of firebase is flawed as logic that belongs to a server is now on the client side. I don't know much about security but that sounds like making any centralized rule (eg security) hard to implement. It also tends to expose more internal logic than the client needs to know, which is bad in both software design and security.

water-data-dude

10 months ago

I just wanted to say, I enjoyed the little pixel art cat that runs towards wherever you click immensely. It’s one of those fun, whimsical little touches that I don’t see all that often. A reminder that the internet can be a fun, whimsical place if we want it to be :)

Semaphor

10 months ago

As I didn’t get that, it seems like the dev honors prefers-reduced-motion, and doesn’t display it in that case. Excellent of them, give joy to those who want it, prevent annoyances for those who hate them.

jeroenhd

10 months ago

It does: https://github.com/adryd325/oneko.js/blob/main/oneko.js

       const isReducedMotion =
         window.matchMedia(`(prefers-reduced-motion: reduce)`) === true ||
         window.matchMedia(`(prefers-reduced-motion: reduce)`).matches === true;
     
       if (isReducedMotion) return;
     
Simple but effective. More websites should include this check. Well done, adryd325!

johndough

10 months ago

On Debian, you can install and run the cat with

    sudo apt install oneko
    oneko &
Makes a great gift for colleagues who leave their computer unattended.

bbarnett

10 months ago

Well that was a rabbit hole.

Current version is hard to even see with high-res screens. A few checks shows endless ports, code from the 90s and before, and all sorts of other fun.

Wonder if the author will reply.

0x1ceb00da

10 months ago

You have sudo access to your colleagues computers?

hbn

10 months ago

It's cute but I just can't focus on the article knowing the cat is gonna move every time I move my mouse or scroll. I popped open my console and deleted him. Sorry, kitty

nkrisc

10 months ago

And here I was wishing it would go away and trying to find a way to hide it because on my phone it was always covering text. Firefox reader mode worked.

jonny_eh

10 months ago

I found it, like an actual cat, extremely distracting.

knowitnone

10 months ago

it sits when it's next to pointer. just don't move your mouse.

TiredOfLife

10 months ago

On desktop it follows the mouse no need to click.

lukan

10 months ago

I did not. On the firefox mobile browser it was just using screen space.

brettermeier

10 months ago

It is distracting and annoyed me, I stopped reading because of it.

lelandfe

10 months ago

I thought it just ran around on the top line of the header, and was quite taken with it. I then scrolled and it followed me right into the middle of a paragraph. Less taken, but cat's gonna cat.

zendaven

10 months ago

I guess it's removed? I don't see it. On Windows Chrome.

Borgz

10 months ago

According to this article, Arc requires an account and sends Google's Firebase the hostname of every page you visit along with your user ID. Does this make Arc the least private web browser currently being used?

causal

10 months ago

I trashed Arc immediately after install when I found out having an account was mandatory. That seemed so silly, like toothbrushes-requiring-wifi absurd. How much moreso now.

scblock

10 months ago

Truly. I was looking for a privacy respecting Chromium-based browser to use for Web MiniDisc (https://web.minidisc.wiki/) and came across some enthusiastic praise for Arc. I downloaded it and it immediately wanted me to create an account to even use it. How can that possibly respect my privacy? It went right in the trash.

macintux

10 months ago

I had the same response when I downloaded Dart and discovered that a programming language thought it was acceptable to send telemetry.

pndy

10 months ago

I had doubts already when submissions promoting the browser were added on hn while there was no way to see how it looks like or even test it out - for quite some time there was nothing but mail singup on their page.

https://news.ycombinator.com/item?id=35801529

DevX101

10 months ago

I did the same. Requiring an account for a browser is immediately disqualifying. I don't care how many features it has.

jonny_eh

10 months ago

Even Chrome wouldn't dare

AzzyHN

10 months ago

I think OperaGX wins that award

mrweasel

10 months ago

I'm also left wondering: How broken would Arc be, if Firebase was to go down?

diggan

10 months ago

I guess it's relatively easy to test, add the Firebase domain to your host file and point it to 127.0.0.1 and try to use the browser.

Sometimes things like this handle connection failures better than "never-ending connection attempts", so you might want to try to add a throttle or something too for the traffic between the domain and the browser, might also trip it up.

Saris

10 months ago

When I downloaded it a few months ago and it required an account to even use it, my gut feeling was that I should just stick with Firefox.

qwertox

10 months ago

They don't encrypt the data they send via Firebase?

I mean, even Google suggests doing this with sensitive data.

ARandomerDude

10 months ago

"Arc is the Chrome replacement I’ve been waiting for." [1]

> https://arc.net/

I guess now we know why they frame it that way.

kccqzy

10 months ago

Chrome does not require an account to use. And Chrome by default doesn't send sites you visit to Google, unless you turn on the "make searches and browsing better" feature or the "enhanced safe browsing" feature.

So the OP is right. Arc's privacy is worse than Chrome.

ko_pivot

10 months ago

This is such a fantastic bug. Firebase security rules (like with other BaaS systems like Firebase) have this weird default that is hard to describe. Basically, if I write my own API, I will set the userId of the record (a 'boost' in this case) to the userId from the session, rather than passing it in the request payload. It would never even occur to a developer writing their own API past a certain level of experience to let the client pass (what is supposed to be) their own userId to a protected API route.

On the other hand, with security rules you are trying to imagine every possible misuse of the system regardless of what its programmed use actually is.

nottorp

10 months ago

> On the other hand, with security rules you are trying to imagine every possible misuse of the system regardless of what its programmed use actually is.

Tbh you're doing it wrong if you go that way.

Default deny, and then you only have to imagine the legitimate uses.

ko_pivot

10 months ago

Fair enough, but my point is more conceptual, in that you still have to write `boost.userId == auth.userId` as an allowed pattern rather than making that pattern the only technically possible result, which is the convention in a traditional API.

sorrythanks

10 months ago

And then when you imagine the legitimate uses you have to imagine how allowing those legitimate uses could be misused. You always need to think red and blue.

kevincox

10 months ago

For inserts yes, but for updates I've frequently seen cases where people just stuff the whole request into their ORM or document store. It is pretty easy to think "the owner can update the document" without realizing that there are some fields (that the official client doesn't set) that shouldn't be updated (like the owner or created timestamp).

The correct solution is likely default-deny auth for every single field. Then you at least have to explicitly make the owner field writable, and hopefully consider the impact of transfering this object to another user.

ARandomerDude

10 months ago

I'm amazed by how profoundly stupid this vulnerability is. To get arbitrary code execution, you literally just send somebody else's user ID, which is fairly trivial to obtain.

I don't work at FAANG. I just work at some company that makes crap products you don't actually need, and even I would never build this kind of bug.

But these people want to build a web browser, with all the security expertise and moral duty that implies?! Wow.

bilater

10 months ago

Can you explain how you could get someone else's user id? I get that this is still a big vulnerability but am trying to understand how that would happen.

darthwalsh

10 months ago

It says in the article. If you share one of your snippets, or make/accept a friend request, that all uses the same id

user

10 months ago

[deleted]

monroewalker

10 months ago

Can we have Arc added to the title of the post to better alert people who use or know people who use the browser?

gcr

10 months ago

Huge agree. I didn’t realize this applied to me the first time I saw this story yesterday. It was the rename that got me to click.

Honestly I strongly feel the title should be “fundamental bug in Arc browser (CVE 123-4567)” or similar.

bhaney

10 months ago

There are a lot of major security vulnerabilities in the world that were made understandably, and can be forgiven if they're handled responsibly and fixed.

This is not one of them. In my opinion, this shows a kind of reputation-ruining incompetency that would convince me to never use Arc ever again.

gwd

10 months ago

On the other hand, this is pretty impressive:

    aug 25 5:48pm: got initial contact over signal (encrypted) with arc co-founder hursh
    aug 25 6:02pm: vulnerability poc executed on hursh's arc account
    aug 25 6:13pm: added to slack channel after details disclosed over encrypted format
    aug 26 9:41pm: vulnerability patched, bounty awarded
    sep 6 7:49pm: cve assigned (CVE-2024-45489)
Four hours from out-of-the-blue initial contact until a fix pushed is pretty good, even given how simple this fix probably was.

EDIT: Oh, the date changed; so it was 28 hours until fix. Still decent; and half an hour from initial contact to "Join our slack channel" is incredibly fast response time.

Rygian

10 months ago

Reacting fast is the least the vendor could do. Bare minimum. This should not be applauded. It should be treated as "well, at least they reacted at a reasonable speed so the root cause was probably not malice".

In other words, a quick turnaround with a fix does not lessen the impact of being negligent about security when designing the product.

ActionHank

10 months ago

"They put the bandaid over the wound caused by a flagrant disregard for the users privacy, security, and safety."

Phew, glad that's over and will never happen again.

tadzik_

10 months ago

28 hours (note the date), but still

ycombinatrix

10 months ago

28 hours for a 1 line fix is impressive?

tailspin2019

10 months ago

The mandatory account just to try Arc was always a massive red flag to me - and led to me never trying it. Now I’m glad I didn’t!

shermantanktop

10 months ago

You could have just borrowed someone else’s, it appears.

bschmidt1

10 months ago

No Linux version prevented me from trying it, didn't even get to the account wall, who knows if there's a pay wall. Perhaps the "moat" concept was misunderstood.

rpastuszak

10 months ago

Honestly I’ve always considered Arc to be a wolf in sheep’s clothing, especially when it comes to privacy.

50-60mm cash at 500mm (!) valuation and no business model is a big red flag when it comes to something as important, as personal as a browser. This is not a charity. Someone, somehow will have to pay for that.

danpalmer

10 months ago

Yeah I’m so torn. It’s honestly the best browser UX I’ve seen, the right combination of vertical tabs, auto archiving, spaces/collections, sync, etc. I don’t care for Easels, but the core is good.

Except… the growth hacks have started to creep in. They overlay an advert for their own AI services on top of regular Google search results pages in their mobile app. Not even a browser chrome UI element, it’s literally over the page content. That feels like a huge violation of what it means to be a browser.

I don’t want their AI features. I don’t want growth hacks. I don’t want to sign in except for sync. I’d happily pay $40 a year for Arc as a product-focused-product, but as a VC-focused-product it’s heading downhill.

aaomidi

10 months ago

You’d think that a company shipping a browser would pay a little more attention to security rules.

Also, shame on firebase for not making this a bit more idiot proof.

And really? $2500? That’s it? You could’ve owned literally every user of Arc… The NSA would’ve paid a couple more zeros on that.

prmoustache

10 months ago

> You could’ve owned literally every user of Arc… The NSA would’ve paid a couple more zeros on that.

only the 17 users they have.

Shouldn't a government sue you if you try to sell him out vuln unless you personally know people in charge?

nemomarx

10 months ago

Are there a lot of Arc users? It seems like a pretty niche browser even compared to other niches.

255kb

10 months ago

Firestore rules are in "lock mode" (no read or write allowed) by default since a long time. Then, everything is ultra well explained in the docs.

I was already aware of it when being a noob dev 10 years ago, and could easily write a rule to enforce auth + ownership in the rules. No way, seasoned devs can miss that.

Thorrez

10 months ago

The page says $2,000.

rmbyrro

10 months ago

A couple? A vuln like this is worth >$1M very easily on the market.

Imustaskforhelp

10 months ago

yes. I feel sad that now we have created an incentive where selling to the govt.'s is often much lucrative than telling to the vulnerable party (arc in this case)

(just imagine , this author was great for telling the company , this is also a cross platform exploit with very serious issues (I think arc is available on ios as well))

how many of such huge vulnerabilities exist but we just don't know about it , because the author hasn't disclosed it to the public or vulnerable party but rather nsa or some govt. agency

endigma

10 months ago

Also, firebase? seriously? this is a company with like, low level software engineers on payroll, and they are using a CRUD backend in a box. cost effective I guess? I wouldn't even have firebase on the long list for a backend if I were architecting something like this. Especially when feature-parity competitors like Supabase just wrap a normal DBMS and auth model.

JumpCrisscross

10 months ago

> low level software engineers on payroll

How does The Browser Company make money? They're giving their product away for free.

Browsers are complicated. It doesn't inspire confidence that the folks in charge of that complexity can't get their heads around a business model.

(Aside: none of their stated company values have anything to do with the product or engineering [1]. They're all about how people feel.)

[1] https://thebrowser.company/values/

throwaway48540

10 months ago

I don't see an issue, using something like Firebase is what a smart engineer would do. Just this one piece of logic is a problem.

arcisbad

10 months ago

This convinced me to never use Arc again. I created a small guide to migrate from it to an open-source alternative: https://gist.github.com/clouedoc/4acc8355782f394152d8ce19cea...

TL;DR: it's not possible to export data from Arc, but it's possible to copy-paste the folder to a Chrome profile, and Firefox and other browsers will detect&import it.

Sakos

10 months ago

Unfortunately, Zen Browser simply isn't an alternative. If you like Arc, then Zen's UI for tabs and splitting views isn't really anywhere close to satisfying the same needs.

user

10 months ago

[deleted]

Imustaskforhelp

10 months ago

I agree & disagree.

Browsers are very important part of our life. If someone compromises our browsers , they basically compromise every single aspect of privacy and can lead to insane scams.

And because arc browser is new , they wanted to build fast and so they used tools like firebase / firestore to be capable of moving faster (they are a startup)

Now I have read the article but I am still not sure how much of this can be contributed to firebase or arc

On the following page from same author (I think) https://env.fail/posts/firewreck-1 , tldr states

- Firebase allows for easy misconfiguration of security rules with zero warnings

- This has resulted in hundreds of sites exposing a total of ~125 Million user records, including plaintext passwords & sensitive billing information

So because firebase advocates itself to the developers as being safe yet not being safe , I think arc succumbed to it.

firestore has a tendency to not abide by the system proxy settings in the Swift SDK for firebase, so going off my hunch,

Also , you say that you have been convinced to never use arc again.

Did you know that chrome gives an unfair advantage to its user sites by giving system information (core usage etc.) and some other things which are not supposed to be seen by browsers only to the websites starting with *.google.com ?

this is just recently discovered , just imagine if something more serious is also just waiting in the shadows Couldn't this also be considered a major security vulnerability just waiting to be happen if some other exploit like this can be discovered / google.com is leaked and now your cpu information and way more other stuff which browsers shouldn't know is with a malicious threat actor ?

nine_k

10 months ago

I very much agree with the idea that browsers are security-sensitive software, unlike, say, a picture editor, and more like an ssh server. It should be assumed to be constantly under attack.

And browser development is exactly not the area where I would like to see the "move fast, break things" attitude. While firebase may be sloppy with security and thus unfit for certain purposes, I would expect competent developers of a browser to do due diligence before considering to use it, or whatever else, for anything even remotely related to security. Or, if they want to experiment, I'd rather that be opt-in, and come with a big banner: "This is experimental software. DO NOT attempt to access your bank account, or your real email account, or your social media accounts".

With that, I don't see much exploit potential in learning stats like the number of cores on your machine. Maybe slightly more chances of fingerprinting, but nothing comparable to the leak through improper usage of firebase.

prmoustache

10 months ago

You do know that there are more than chrome and arc right?

IggleSniggle

10 months ago

> Did you know that chrome gives an unfair advantage to its user sites by giving system information (core usage etc.) and some other things which are not supposed to be seen by browsers only to the websites starting with *.google.com ?

That's pretty interesting. Where can I learn more about this?

jaharios

10 months ago

>>Did you know that chrome gives an unfair advantage to its user sites by giving system information (core usage etc.) and some other things which are not supposed to be seen by browsers only to the websites starting with *.google.com ?

Yeah so using chrome based browsers like Arc is giving more power to Google to do shady stuff while also being a victim of the third party unsafe code.

hollywood_court

10 months ago

Thank you for sharing this. I have been using Arc since the first week of beta.

The fact that they don't even mentioned this bug/fix on any of their social media is quite alarming.

I enjoyed my time with Arc, but I can't possibly see myself continuing to use it after the way they handled this.

Sakos

10 months ago

Them acknowledging the issue, then fixing it within 28 hours isn't good enough for you? That kind of response makes me happy to continue using Arc.

chenmike

10 months ago

I'm in the same boat as GP. Was invited early, loved the Arc UX far more than any other browser. I've recommended it to many people.

As many other comments have pointed out, this vulnerability is such a rookie mistake that I don't think I can trust them again after this without understanding what factors in their security/engineering culture led to it. Patching this one issue isn't enough.

ziddoap

10 months ago

>Them acknowledging the issue, then fixing it within 28 hours isn't good enough for you?

Are you not concerned with the yet to be discovered vulnerabilities?

What is concerning is the nature of the vulnerability and how it speaks to their security culture (which is obviously non-existent). This also revealed that their privacy policy is pure marketing fluff, completely disconnected from (and, in fact, counter to) their actions.

If you are comfortable using a browser (probably the software with the largest risk and attack surface on your device) that had an embarrassingly rudimentary vulnerability, made by a company who lie about the most important promise of their privacy policy, then I've got a calculator app for you.

tomaskafka

10 months ago

They afaik never said that they ‘fixed’ the issue where they’re sending Google your every visited url.

hollywood_court

10 months ago

Where did they acknowledge the issue? There’s nothing about this issue on their website or their Twitter feed.

shepherdjerred

10 months ago

$2000 is an insulting amount for such a huge vuln

bruh2

10 months ago

Judging by blog posts on HN, I got the impression that these vulnerabilities are often not rewarded at all, or rewarded by a minuscule amount. It almost seems like companies are begging hackers to sell these exploits. Perhaps because they aren't penalized by the regulator for breaches?

Spivak

10 months ago

They offer a low price because the risk of tanking your career, landing yourself in jail, and the fact that the researcher probably doesn't know how to line up a sale means the company is the only buyer.

I would go the other way, companies offer low bug bounties because they don't want researchers to discover them in the first place. This looks terrible for Arc despite the fact if left undisclosed it probably would have continued to be unexploited for years to come.

dgellow

10 months ago

Yeah, that was my first reaction. I'm really surprised they were cheap on this

isoprophlex

10 months ago

Yeah, you have to have some solid backbone not to sell this off to some malicious party for 20-50x that amount...

umanwizard

10 months ago

Am I too optimistic? I feel like most regular people I know wouldn’t sell this off. Most people are not antisocial criminals by nature, and also wouldn’t know how to contact a “state actor” even if they wanted to.

saagarjha

10 months ago

A malicious party who wants a vulnerability in a browser effectively nobody uses?

ahoef

10 months ago

Nice article, but this is hard to read without proper capitalization. My brain uses capitals to scan beginning and ending of text.

ocean_moist

10 months ago

Young people (like me) use lowercaps like that all the time. Around 50% of the young people I know purposefully turn off auto-caps on their phone.

Why? I really couldn't say. I think we just like the feel of it. The only reason I type with proper capitalization on HN and my blog is because I know older people read it.

keybored

10 months ago

I’m middle-aged. I’ve noticed in the last few months more and more articles with this style. Something I’ve never seen before in blogging or article writing.

I usually notice the style at some point but this time I had no idea until this other commenter pointed it out. I guess I am getting acclimatized.

ac29

10 months ago

Using uppercase is for writing (more formal).

using lowercase is for chat (less formal)

Aachen

10 months ago

I was similarly fascinated by the stylistic choices made here. No capitalisation of even any names, no hyphen in a compound adjective, but dots and commas and spaces are deemed necessary, also before "and" where the word clearly acts as separator already. If you look at the waveform of speech, we have no spaces between regular words so, if they want to eliminate unnecessary flourishes... though perhaps (since text largely lacks intonation markers) that makes it too unreadable compared to the other changes. All this is somehow at least as fascinating to me as the vulnerability being described!

latexr

10 months ago

It’s just another dumb social media trend, like tYpiNg LiKe tHiS. Hopefully it too will phase out. Search for “lowercase trend” and you’ll find reports of it going years back, there’s nothing worth being fascinated about.

It has seeped into HN as well. Look closely and you’ll notice several commenters type like that.

aucisson_masque

10 months ago

That's how you ruin a company reputation. Not saying it is or not deserved, but how could anyone trust a browser that had such a big security fail.

And what about all the other that have not been reported or may be exploited ?

From now on, every time someone is going to suggest arc browser, there will be another one to remind everyone of that. That's going to be very difficult to overcome when your software already doesn't have that big of a market share.

voiceblue

10 months ago

It's a little worse than that. From now on, blackhats will have a favorite #1 browser to pentest, at least for the next few weeks.

And who's going to take the bet that they'll find nothing? Not me.

kfarr

10 months ago

Instead of knee jerk firebase is bad, can we discuss how this could be abated properly with firebase rules for firestore?

Is this the rule that was missing for arcs boosts or whatever object?

```

  match /objects/{object} {

     // Allow create new object if user is authenticated

      allow create: if request.auth != null;

      // Allow update or delete document if user is owner of document

      allow update, delete: if request.auth.uid == resource.data.ownerUID

  }
```

user

10 months ago

[deleted]

supriyo-biswas

10 months ago

Great research. As I've said elsewhere, Firebase's authentication model is inherently broken and causes loads of issues, and people would be better off writing a small microservice or serverless function that fronts Firebase.

Also, for anyone trying to read the article, they should put `/oneko.js` in their adblocker.

Aaron2222

10 months ago

> Also, for anyone trying to read the article, they should put `/oneko.js` in their adblocker.

Only if you hate cats, pixel art, or are easily distracted.

Milner08

10 months ago

Im dyslexic and I tend to use the pointer to follow what I am reading to help me. The cat was annoying as hell. I just had to hide the element in the DOM before i could read more than a few lines. Infuriating design choice to make it follow the pointer.

nottorp

10 months ago

Looks like someone already added it to uBlock Origin since I see no cat.

Or maybe the cat doesn't support Firefox...

hunter2_

10 months ago

I suspect it's that they hate are easily distracted (if "hate" falls outside of the series, such that it applies beyond just "cats")!

zachrip

10 months ago

It's really not hard to build this safely in firebase, this could've been authored the same way in node too. I think whoever authored this either majorly cut corners or just isn't experienced enough to understand how to write authenticated controllers like this. This should scare people away from this browser, it's such a basic thing to mess up and it shouldn't have happened.

Sakos

10 months ago

> Firebase's authentication model is inherently broken

I'm not very familiar with Firebase. In what way is it broken and what issues does it cause?

supriyo-biswas

10 months ago

The fact that clients write directly into the database and that it's widely encouraged.

There are security rules in Firebase to prevent this, but bolt-on security models that the user has to explicitly enable haven't shown to work.

imglorp

10 months ago

OP is talking about the Arc browser, not the Arc language, the Arc "Atomic React" project, or any of scores of other projects with that name.

throwaway984393

10 months ago

https://arc.net/faq

I'm definitely not the target audience... Even after reading the faq I have no idea what it does

PufPufPuf

10 months ago

As a person that recently started using it: it has something like "tree style tabs", and sort of a hybrid merge of the concepts of tabs and bookmarks. In other words, the tabs work more like files on disk -- open/closed, sorted into folders. I'm probably not explaining it well either, but I encourage you to try it if you ever wanted to experiment with alternative tab management (tree style tab, tab groups etc). It's a concept that clicked for me quickly once I started using it, and now I'm angry since I want to use Firefox for philosophical reasons but don't want to go back to regular tabs.

__jonas

10 months ago

It's a browser (chromium based) with a really nice UI that people love, I am intrigued but haven't used it because I find the requirement to create an account off-putting.

Vegenoid

10 months ago

The “what makes Arc different from other browsers” section is particularly funny.

> Arc is to your ex-browser what the iPhone was to cellphones. Or as one of our members said “like moving from a PC to a Mac.” It’s from the future — and just feels great.

efilife

10 months ago

I don't understand what you do not get. In the link you sent they claim to be a privacy oriented web browser based on chromium

lemonberry

10 months ago

Arc was recommended to me by a friend. I deleted upon finding out I needed an account to use it. The excuse Arc gives is in case you want to sync. I'm capable of opting into that.

timeon

10 months ago

"in case" is good excuse if the account is optional. Which is not case here.

exabrial

10 months ago

I roasted them on HN when they announced their product: Browsing the interest should not require an account. Its an "HTML Client", absolutely absurd. Hopefully they sit down and reconsider their choices.

segasaturn

10 months ago

It is remarkable that Arc has taken billions of dollars in VC cash but makes these rookie mistakes in securing their own backend that all of their users are accessing. Where are those billions of dollars going? Is it all just in marketing?

imiric

10 months ago

You seem surprised. This is the MO of many tech companies.

radicaldreamer

10 months ago

Probably the line of thinking is that security can be a back burner issue until product market fit is achieved.

Doesn't matter if you build the most secure product if nobody is using it, right? Where that breaks down is that a browser MUST be relatively secure, otherwise you've given up the whole ballgame.

Hexigonz

10 months ago

I really enjoy Arc's approach to the browser interface, but I am kind of shocked that it requires firebase at all. It touts privacy, but we have to log in, and our data is being stored in a BAAS owned by Google. It would have been SO much simpler to make it so that data is owned by the user and stored on disk. At MOST, maybe a paid syncing feature would require an external database. A takeover path like this is a big deal, but as the author pointed out, you stored URL browsing data for boosts. "Privacy first" browser's are marketing jargon today, and that sucks.

wraptile

10 months ago

That has been the reason I've never given Arc a shot. It's unacceptable.

bestest

10 months ago

the developers working with firebase should enforce common-sense document crud restrictions in the rules. that's just how firebase is. everyone knows it.

now, when talking about ARC BROWSER, i am seriously starting to doubt the competence of the team. I mean, if the rules are broken (no tests? no rules whatsoever?), what else is broken with ARC? are we to await a data leak from ARC?

any browser recommendations with proper vertical tabs and basically everything working like it does in ARC?

fold3

10 months ago

Did you took a look at the zen browser? It's an arc clone based on Firefox https://zen-browser.app/

tomaskafka

10 months ago

I did. It’s like 20 % an Arc clone, and 80 % of UX papercuts. Like, you can’t have ‘add tab’ button on top when the new tab gets added to the bottom. Or that one sidebar button opens a side window to the right of the sidebar, while another below it opens the favorites to the left and moves the whole sidebar from underneath your mouse.

Looks like a minimal effort css restyle of Firefox.

bestest

10 months ago

nice. will probably try it in the future.

but the for-some-reason-not-obvious revelation that it's just a product that some team somewhere is working on and the fact that a browser is an important piece of software brought me back to safari (not sure if joke's on me, but in this case I trust apple engineers to do a more thorough job in ensuring my data is secure).

currymj

10 months ago

i'm rooting for them to succeed, but if the concern is security, switching your daily driver browser to a brand-new browser that's still in alpha is unfortunately not a good idea.

adhamsalama

10 months ago

Try Firefox with Sideberry extension.

Wingy

10 months ago

Zen and MS Edge have proper vertical tabs.

soundnote

10 months ago

Brave. Vertical tabs, privacy, everything sync is e2ee (unlike eg. Edge).

Vivaldi may also be worth a look. Similar setup: User-oriented team, vertical tabs, e2ee sync. If you like a thorough browser history, I think Vivaldi keeps a more detailed browsing history than most other Chromium browsers.

tomaskafka

10 months ago

Brave is VC funded and needing to extract a billion of value. Just like Arc.

rockostrich

10 months ago

It would be nice if I could download a version of the Arc browser with the cloud bits removed. I use it because of the UI/UX and pretty much ignore everything else. Really if there was a browser that let me keep organized spaces in a left panel plus create split screen views then it would immediately convince me to switch from Arc.

4dm1r4lg3n3r4l

10 months ago

rockostrich

10 months ago

I know about Zen and Floorp. For my day to day browsing Arc has:

# Split screen tabs

Zen and Floorp both have this but the UX for both is really clunky. Surely they'll improve but Arc felt like second nature.

# Little Arcs

As far as I know, neither Zen or Floorp have this feature and if they do then the UX is not as obvious as Arc. The UX around Little Arcs is almost perfect. If I click on a link, it opens as a modal that I can expand to its own tab if I need or dismiss by just clicking away. The same things happens in other apps so I don't lose context just because I wanted to look at a link quick. If I do want to bring that tab into a space then it's 1-2 clicks away. My only gripe with this is that the Little Arcs that are created from clicking links in other apps don't auto dismiss if you change focus but this might just be a setting I don't have configured.

# Inset meetings/videos

AFAIK neither has this feature either. Having videos that are playing just seamlessly pop-up picture-in-picture when navigating away from the video tab is useful enough but the meeting feature is key for me because my company uses Google Meet. I can navigate away from meetings to look-up info/check Slack/etc without losing focus on the meeting itself and getting back to the meeting tab or unmuting myself is 1 click away.

Sure all of these things could probably be accomplished by browser extensions but I think the UI/UX within Arc is pretty tough to compete with.

userbinator

10 months ago

while researching, i saw some data being sent over to the server, like this query everytime you visit a site

I'm not surprised in the least --- basically the vast majority of software these days is spyware. Looking at Arc's privacy page, it appears to be mainly marketing fluff similar to what I've seen from other companies. I have yet to find a privacy policy that says frankly "we only know your IP and time you downloaded the software, for the few weeks before the server logs are overwritten."

hypeatei

10 months ago

Seeing "privacy focused" in any sort of mission statement is almost becoming an indicator of the opposite (I'm sure there's a word for this)

I'd rather a company have simple goals that can be explained in a sentence or two. No hand wavey BS like "we care about your privacy"

latexr

10 months ago

> I have yet to find a privacy policy that says frankly "we only know your IP and time you downloaded the software, for the few weeks before the server logs are overwritten."

Not with those exact words, but that’s Alfred. Server connections are done only to validate the license and check for updates, and you can even disable that.

https://www.alfredapp.com/terms/

> Alfred only contacts our server when activating your Powerpack license in order to validate it, as well as periodically checking for new software updates. You can disable the software update check in the Update preferences, but we recommend keeping this enabled to ensure that you always have the latest version for security reasons and to make the most of the awesome new features!

nickisnoble

10 months ago

Yeah, and no mention of if they addressed this.

SushiHippie

10 months ago

According to their blog post https://arc.net/blog/CVE-2024-45489-incident-response they fixed it:

> We’ve fixed the issues with leaking your current website on navigation while you had the Boost editor open. We don’t log these requests anywhere, and if you didn’t have the Boosts editor open these requests were not made. Regardless this is against our privacy policy and should have never been in the product to begin with.

pknerd

10 months ago

Man I miss these kinds of detective posts on HN

causal

10 months ago

Upvote them, definitely something that makes HN special.

bmelton

10 months ago

    > i discovered that there was a arc featured called easels, easels 
    > are a whiteboard like interface, and you can share them with people, 
    > and they can view them on the web. when i clicked the share button 
    > however, there was no requests in my mitmproxy instance, so whats 
    > happening here?
I first noticed this on a flight to Paris. I was building a Flutter app using Firestore, and tho I had not paid for the onboard wifi (I was doing local development) I was connected and all of my Firestore calls were succeeding.

I thought this was novel, and assumed it was just something to do with websockets, so I switched to another, non-firebase-but-yes-websockets project and noticed it didn't work.

At the time, I debated moving calls to Firebase just so that I could work for free while I was on flights, but realized the ROI wasn't remotely there. Glad to finally have someone else acknowledge it happening, and give some insight as to why.

nijave

10 months ago

Some flights have a free tier of wifi that allows messaging apps. Google Voice and Google Hangouts usually work on those so wouldn't be surprised if some other Google services make it through.

nusl

10 months ago

I’ve been using Arc since it was private, and I really like the browser. The company’s posture on this topic has pretty much made me drop it entirely. It’s beyond abysmal.

aanet

10 months ago

Fascinating vulnerability, and a fascinating way to catch it. Kudos.

BTW, on Arc's website on "Security" there still is no mention of this vulnerability (as of 20th Sep 2024, 2:32 pm PT)

Check it out - https://arc.net/security

Apparently the company had contracted with one Latacora for "regular outside security reviews and trainings across a wide range of different systems".

Elsewhere on the page, it says "Arc uses GCP Firebase for user authentication, storage for Notes & Easels, and Cloud Functions for certain application features like referral code generation. All data stored in Firebase is encrypted-at-rest by default."

radicaldreamer

10 months ago

The security page explicitly claims that Arc doesn't log what you're doing, giving URLs as an example, but this vulnerability claims every URL is being sent up to Firebase.

shermantanktop

10 months ago

User identity must be derived from security context, typically at the edge of the system.

But it’s so much easier for developers to think of userid as just another parameter, and they forget, and oops now they trust a random user-supplied parameter.

tomaskafka

10 months ago

For some time I asked why doesn't Arc let me sync my passwords.

After seeing this level of incompetence, I am happy they didn't attempt that.

Yet.

__jonas

10 months ago

The vulnerability has been patched, but I suppose the browser still makes a firebase query for every website you visit?

That's pretty bad, whether or not they track these requests, just seems wasteful.

orliesaurus

10 months ago

I wish we didn't have to sign up to use a browser in the future

sulandor

10 months ago

just don't use browsers that do

soundnote

10 months ago

With Brave you don't need to, even for sync.

ainiriand

10 months ago

Start -> Control Panel -> Programs and Features -> Search 'Arc' -> Uninstall.

erdinc

10 months ago

...said Windows user.

ainiriand

10 months ago

Even worse, to write the comment I had to ask ChatGPT how it works for windows...

heraldgeezer

10 months ago

Always been weird how this requires an account.

Also the forum shills are worse than Brave ones.

sergiotapia

10 months ago

The firebases and the supabases of the world are crazy to me to build your company on. You are asking for trouble and anchoring your entire company on the health of one saas that is hooked into the foundational aspects of your application!

also it's so incredibly easy to really fuck up and build something exploitable.

are javascript devs really that afraid of doing things themselves to this extreme level?

bschmidt1

10 months ago

What about S3, you don't really need a file storage provider either?

> are javascript devs really that afraid

You might be afraid of JS devs :P Anyway has nothing to do with language, even if it was a super c0ol Ruby-on-Rails app with Active Record and SQL db on a server you manage it's still common to have some stuff in NoSQL for fast access to live data, caches, logs, etc. Most companies at scale will have both SQL and NoSQL dbs in areas. So if you're already using S3 for files, code on GitHub, storing keys in 1Pass, why not use a Firebase or MongoDB for high traffic live data? Especially if they offer built-in scaling and geo deploy options.

This scenario I laid out is kinda to your point of "don't anchor your entire company on it" - the only point I'm trying to add is that you can also use these tools without the company being "anchored" on it, and they could have still ran into the same issue as Arc.

hoothoot

10 months ago

We looked into supporting Arc at work, unfortunately Arc is missing lots of basic security controls which are available in many other Chromium and non-Chromium browsers, these include:

+ The ability to enforce automatic updates + Ability to control which sites extensions/boots are installed on

On top of this there seems to be no way to remove the requirement to have an account to use the browser, selectively choose what data is sent/sync'd from Arc, or disable basic features like Easel through which staff accidentally leak data.

The UI for the browser is great, but Arc really needs to lay the groundwork for strong security controls or it'll struggle to gain (or even maintain) a foothold in the enterprise space.

jongjong

10 months ago

This is a nice investigation and a great read. Sad that they don't normally do bug bounties. $2000 seems small considering the severity of this vulnerability. Though I guess the size and finances of the company is a factor. It takes some serious skills, effort and luck to discover something like that. It should be well compensated.

oefrha

10 months ago

> firestore has a tendency to not abide by the system proxy settings in the Swift SDK for firebase, so going off my hunch, i wrote a frida script to dump the relevant calls.

As someone who has done some reverse engineering of macOS apps but haven't used anything beyond Charles' macOS proxy feature, this looks very painful. Is there a proxy app that maybe acts as a VPN so that basically every HTTP request is guaranteed to go through it, so that you don't need to write a hundred lines of bespoke Frida just to capture requests?

Edit: On second thought Proxifier should work for this purpose.

ibash

10 months ago

mitmproxy.org can act as a wireguard vpn iirc

jrflowers

10 months ago

It is troubling that the browser that cannot be used anonymously displayed questionable behavior adjacent to the mechanism that tells The Browser Company every time you are watching porn

steve_adams_86

10 months ago

I know Firebase is awesome for plenty of reasons. And I’m not disparaging anyone who works hard on it. There’s a ton of great software behind the product.

Unfortunately it’s at the root of almost all of my career’s worst bugs and mistakes (not necessarily caused by me), and it seems like a bit of train wreck in the wrong hands. I’ve had to rescue several clients from it, and have migrated three pretty huge applications off of it now.

I’m not sure what it is exactly. People really abuse the hell out of it.

user

10 months ago

[deleted]

eru

10 months ago

For context: what is this 'arc' that the blog post mentions? I presumes it's not Paul Graham's Lisp dialect in this context?

EDIT: seems to be a browser or so?

habosa

10 months ago

I just want to say that Firebase security rules deny every operation by default. An empty rules file allows nothing.

The devs that wrote these rules had to intentionally allow overly broad reads/writes to this part of their database in order to create this vulnerability. And this had to pass code review and automated testing.

That’s not good, and it has nothing to do with their choice of tools.

treyd

10 months ago

How is this "Arc boost" system not just a more limited ad-hoc version of what WebExtensions already provide?

tech_ken

10 months ago

Oop and I just convinced my wife and brother to move over :o

Props to her, she asked about the security and privacy of the browser and I played it off with some fanboy propaganda. Lesson learned on that one. If I only care about the vertical tabs, workspaces, and a (decent) mobile app are there any good equivalents right now?

diggan

10 months ago

> If I only care about the vertical tabs, workspaces, and a (decent) mobile app are there any good equivalents right now?

I use Firefox mostly because of Sideberry (which does vertical tree-style tabs) which also integrates with "containers", so you can have something similar to workspaces but more isolation. Otherwise there is also "profiles" that probably offer even more isolation between the different profiles.

jonjojojon

10 months ago

Firefox with extensions? The current vertical tabs extensions are not nearly as nice, but Mozilla is working on native vertical tabs. Syncing and Workspaces are already better with Firefox then with Arc.

soundnote

10 months ago

I just use Brave with a shitton of profiles. That does cause problems for mobile use since no Android browser dev has bothered with proper profiles or ability to install multiple copies of the browser, except for Google I guess.

creata

10 months ago

I use Firefox with Sidebery for vertical (specifically, tree style) tabs, plus a userChrome.css to hide the native horizontal tabs. Firefox has mobile apps, and the Android app supports (some) browser extensions.

It works, it's boring, and it doesn't try to shove gimmicky features in my face.

timeon

10 months ago

Even in Safari, you can remove tabs from toolbar (but it is not possible to hide toolbar itself) and have them in sidebar - there are also tab groups.

But experience is probably different.

isatty

10 months ago

$2000 for remote exec on all their users even if it’s all 17 of them? Insultingly low.

merco

10 months ago

Great catch ! Also very cool to know a bit more about the tech they are using.

user

10 months ago

[deleted]

user

10 months ago

[deleted]

maipen

10 months ago

Very small bounty, but I honestly believe this arc thing won’t last long…

Browsers are hard and my only choice has been chrome and will remain so for the long foreseeable future.

When I was younger I would enjoy switching to firefox, opera, etc..

But I always came back to chrome because it just worked and always performed when I needed.

Chrome/chromium is the safest browser.

People tend to fall for the shiny new thing and then realize it was just hype.

Please be very careful about what software you choose to perform most of your activities.

The same applies to these “new ai IDEs” that keep popping up every other say.

appendix-rock

10 months ago

…Firefox as an alternative to Chrome!? Am I really that old!?

I used Chrome for years and years, right from when it first came out. Since then, I switched back to Firefox, and have used it for years. It works perfectly fine.

tomaskafka

10 months ago

Browser is an user agent. Chrome is an advertisement company agent running on your PC, collecting data for that advertising company.

People often confuse these two, but they’re the polar opposites.

lcnPylGDnU4H9OF

10 months ago

> Chrome/chromium is the safest browser.

Why do you say that?

fredgrott

10 months ago

hmm gee I wonder was it worth to value the bug bounty at $2500 given the severity of both the bug and sheer lack skills of the browser company staff...it might even be a reputation destroyed event...

soygem

10 months ago

>proprietary chromium fork with aislop on top No thanks

gsanderson

10 months ago

Yikes.

I tried Arc a while ago but switched back to Chrome. Quite glad I did now.

user

10 months ago

[deleted]

omertoast

10 months ago

$2000 is an insult, good luck getting tips for your future vulns.

phyllistine

10 months ago

Yeah with this and the privacy zinger at the end its definitely time my monthlong experiment with arc comes to a close. Too bad that the thing theyre actually proud of, the tabbing UX, was actually really good.

anigbrowl

10 months ago

Breakthrough technology, indeed.

seanvelasco

10 months ago

eva (kibty.town) and mr. bruh never disappoint!

instagraham

10 months ago

>privacy concerns >while researching, i saw some data being sent over to the server, like this query everytime you visit a site:

> firebase .collection("boosts") .where("creatorID", "==", "UvMIUnuxJ2h0E47fmZPpHLisHn12") .where("hostPattern", "==", "www.google.com");

> the hostPattern being the site you visit, this is against arc's privacy policy which clearly states arc does not know which sites you visit.

wredue

10 months ago

Maybe I am just stupid, but this *super* smells of arc being able to inject whatever they want in to literally any of your websites and this dude just figured out that he could also do that.

This does not seem like a browser capability I want.

soared

10 months ago

What sort of data does Arc track? Our plain-english Privacy Policy summarizes it well:

We don’t know which websites you visit

__turbobrew__

10 months ago

Yea if everything else is not enough of a red flag here, the fact that they are sending every single website you visit to Firebase — against stated privacy policies — is the mother of all red flags.

People say they like arc for the UI and there are all alternatives, but do you really want to risk someone stealing your bank creds and stealing all your money for some fancy UI?

user

10 months ago

[deleted]

tnorthcutt

10 months ago

https://www.crunchbase.com/organization/the-browser-company/...

> Total Funding Amount $68M

the browser company normally does not do bug bounties, but for this catastrophic of a vuln, they decided to award me with $2,000 USD

I'm struggling to put into words how disappointing I find this.

gspencley

10 months ago

I've got a different take. If they're in the VC phase, that means they are not self sufficient. The amount of funding that they've raised is no indication what-so-ever of a) how much of that funding has actually been realized / received b) what their overhead is and c) what their overall financial picture looks like.

I do wish that more companies would take privacy and security seriously. And bug bounty programs are great. But they're not always within the budget of companies and the fact that they decided to award this security researcher regardless of having no such program is a massive win in my opinion and shows how much they value this particular contribution.

nicolasmontone

10 months ago

This is 100% company culture, probably the ones that decide this kind of things are not technical or don't understand how important is this.

user

10 months ago

[deleted]

mcpar-land

10 months ago

Every single thing I've heard about Arc browser has been a massive red flag. Turns out it was even worse than I thought!

user

10 months ago

[deleted]

whatevermom

10 months ago

I’m ashamed I fell for Arc and even recommended it to my friends, as someone whose job is exactly this but with Android apps :(

efilife

10 months ago

They claim so much and their browsers' code is 100% proprietary so it's impossiblen to verify their lies. This is what triggered the bullshit detector in my head

cmsj

10 months ago

I read this from another source and I was a substantial way into it before it became obvious what Arc is.

Blog authors: stop assuming I know about the existence of every piece of software.

(also maybe occasionally consider using the Shift key on your keyboard so you can capitalise things :)

user

10 months ago

[deleted]

Insanity

10 months ago

Damn, that is bad. While I enjoyed reading through the write-up, I think a "summary section" at the top would have benefited me lol.

Someone recently recommended Arc to me, I installed it on my macbook and then never actually used it when I realized there's no Linux version available, and I like a consistent browser experience across all my devices.

radicaldreamer

10 months ago

You can use some Arc AI features to summarize it for you :)