Gaining access to anyones browser without them even visiting a website

bhaney 22 minutes ago

There are a lot of major security vulnerabilities in the world that were made understandably, and can be forgiven if they're handled responsibly and fixed.

This is not one of them. In my opinion, this shows a kind of reputation-ruining incompetency that would convince me to never use Arc ever again.

Reply View 0 replies

ko_pivot 2 hours ago

This is such a fantastic bug. Firebase security rules (like with other BaaS systems like Firebase) have this weird default that is hard to describe. Basically, if I write my own API, I will set the userId of the record (a 'boost' in this case) to the userId from the session, rather than passing it in the request payload. It would never even occur to a developer writing their own API past a certain level of experience to let the client pass (what is supposed to be) their own userId to a protected API route.

On the other hand, with security rules you are trying to imagine every possible misuse of the system regardless of what its programmed use actually is.

Reply View 0 replies

upghost an hour ago

Article great, cute doge even better. Here's my upvote!

Reply View 1 reply

ars an hour ago

The dog is actually a cat named Neko.
https://en.wikipedia.org/wiki/Neko_(software)

Reply View | 0 replies