Gaining access to anyones Arc browser without them even visiting a website
(kibty.town)1469 points by xyzeva 10 months ago
1469 points by xyzeva 10 months ago
On the other hand, this is pretty impressive:
aug 25 5:48pm: got initial contact over signal (encrypted) with arc co-founder hursh
aug 25 6:02pm: vulnerability poc executed on hursh's arc account
aug 25 6:13pm: added to slack channel after details disclosed over encrypted format
aug 26 9:41pm: vulnerability patched, bounty awarded
sep 6 7:49pm: cve assigned (CVE-2024-45489)
EDIT: Oh, the date changed; so it was 28 hours until fix. Still decent; and half an hour from initial contact to "Join our slack channel" is incredibly fast response time.
Reacting fast is the least the vendor could do. Bare minimum. This should not be applauded. It should be treated as "well, at least they reacted at a reasonable speed so the root cause was probably not malice".
In other words, a quick turnaround with a fix does not lessen the impact of being negligent about security when designing the product.
> Reacting fast is the least the vendor could do.
It's certainly the least a vendor should do, but it's absolutely not the least a vendor could do, as we see the vast majority of vendors do far, far less. It's worth holding people up and saying, "This is how you should be doing it."
> Reacting fast is the least the vendor could do.
And yet, so few do. Let's remind ourselves the bar sank into the floor a long time ago.
"They put the bandaid over the wound caused by a flagrant disregard for the users privacy, security, and safety."
Phew, glad that's over and will never happen again.
The mandatory account just to try Arc was always a massive red flag to me - and led to me never trying it. Now I’m glad I didn’t!
You could have just borrowed someone else’s, it appears.
Honestly I’ve always considered Arc to be a wolf in sheep’s clothing, especially when it comes to privacy.
50-60mm cash at 500mm (!) valuation and no business model is a big red flag when it comes to something as important, as personal as a browser. This is not a charity. Someone, somehow will have to pay for that.
Yeah I’m so torn. It’s honestly the best browser UX I’ve seen, the right combination of vertical tabs, auto archiving, spaces/collections, sync, etc. I don’t care for Easels, but the core is good.
Except… the growth hacks have started to creep in. They overlay an advert for their own AI services on top of regular Google search results pages in their mobile app. Not even a browser chrome UI element, it’s literally over the page content. That feels like a huge violation of what it means to be a browser.
I don’t want their AI features. I don’t want growth hacks. I don’t want to sign in except for sync. I’d happily pay $40 a year for Arc as a product-focused-product, but as a VC-focused-product it’s heading downhill.
It does get a lot right and feels smooth in ways that Chrome, the various Chrome-clones, and Firefox just don't. It's also ironically the only browser even trying to feel native on Windows, using WinUI/WinAppSDK for its UI there, despite originally being Mac only.
It's unfortunate that other cross platform browsers have such a strong tendency to phone in these little things, because they really do add up to make for a nicer experience.
I'm torn for the same reason: The UX hits all the right notes for me and I've tried every MacOS browser under the sun. I'm an ADHD sufferer and there's something about their combination of features and UI that just lets me get stuff done. And I don't even touch their AI features.
This is all really sad news.
You’d think that a company shipping a browser would pay a little more attention to security rules.
Also, shame on firebase for not making this a bit more idiot proof.
And really? $2500? That’s it? You could’ve owned literally every user of Arc… The NSA would’ve paid a couple more zeros on that.
> You could’ve owned literally every user of Arc… The NSA would’ve paid a couple more zeros on that.
only the 17 users they have.
Shouldn't a government sue you if you try to sell him out vuln unless you personally know people in charge?
Are there a lot of Arc users? It seems like a pretty niche browser even compared to other niches.
Having arbitrary browser access would be pretty valuable, even for just a small number of users.
> As of July 2023, The Browser Company has 100,000+ users
https://www.boringbusinessnerd.com/startups/the-browser-comp...
That's a year ago. Looking at how upvoted this bug has been, they do have many users
my brother uses arc browser , he is a developer . I think he saw it from somebody using it (maybe theo t3 or some other creator he watches) , and he found it cool (plus there were lot of videos flooded with saying arc is really great IDK)
If someone finds something cool on the internet. They are going to try it , given that they are capable to do so.
He had a mac so he was able to do so , Even I tried to run arc on windows once when it was really beta and only available to mac (I think now it supports windows not sure)
I just kindly want to state that if the nsa could've bought this exploit , they could've simply waited and maybe even promote arc themselves (seems unlikely)
Maybe they could've tried to promote the numbers of arc users by trying to force google and microsoft search engine through some secret shady company advertising / writing blog posts for arc / giving arch funding or like how we know that there are secret courts in america
( and since these search engines basically constitutes for a high percentage of discovery of stuff by search engine by users)
People could've credited the success to arc in that case for getting more users but the real winner would've been NSA.
Firestore rules are in "lock mode" (no read or write allowed) by default since a long time. Then, everything is ultra well explained in the docs.
I was already aware of it when being a noob dev 10 years ago, and could easily write a rule to enforce auth + ownership in the rules. No way, seasoned devs can miss that.
yes. I feel sad that now we have created an incentive where selling to the govt.'s is often much lucrative than telling to the vulnerable party (arc in this case)
(just imagine , this author was great for telling the company , this is also a cross platform exploit with very serious issues (I think arc is available on ios as well))
how many of such huge vulnerabilities exist but we just don't know about it , because the author hasn't disclosed it to the public or vulnerable party but rather nsa or some govt. agency
Also, firebase? seriously? this is a company with like, low level software engineers on payroll, and they are using a CRUD backend in a box. cost effective I guess? I wouldn't even have firebase on the long list for a backend if I were architecting something like this. Especially when feature-parity competitors like Supabase just wrap a normal DBMS and auth model.
> low level software engineers on payroll
How does The Browser Company make money? They're giving their product away for free.
Browsers are complicated. It doesn't inspire confidence that the folks in charge of that complexity can't get their heads around a business model.
(Aside: none of their stated company values have anything to do with the product or engineering [1]. They're all about how people feel.)
Well, it's an app that users access all their online info through - bank, email, search, work, social - everything. Even an open-source, decentralized, blockchain, grass-fed, organic, extra virgin, written in nothing but HTML, released by W3C itself browser could monetize just ~5% of market share if users are downloading their build (or if its baked into the source), considering how much a browser reveals about its user and to the extent the user can be retargeted for: Ads, marketing, surveillance, analytics.
The biggest opportunity has to be driving search traffic to the major search providers all these browsers partner with.
Could also get acquired by a major browser vendor if you have a better product and people are downloading it more than the major ones, especially if both are based on the same underlying engine. Even Firefox still sucks to this day. I'm using it right now (Waterfox) the product still sucks! I know of some browser vendors acquiring others, especially as mobile took off and it was hard to get it right.
Seems like the opportunity is similar to that of social media but slightly more modern because nobody uses new social media anymore but people are trying out new browsers (and you get richer user/usage data).
I don't see an issue, using something like Firebase is what a smart engineer would do. Just this one piece of logic is a problem.
I tend to agree with this. Why re-invent the wheel by spending engineering effort building a CRUD backend?
If you're trying to bring value to market, focus on your core differentiator and use existing tooling for your boilerplate stuff.
This convinced me to never use Arc again. I created a small guide to migrate from it to an open-source alternative: https://gist.github.com/clouedoc/4acc8355782f394152d8ce19cea...
TL;DR: it's not possible to export data from Arc, but it's possible to copy-paste the folder to a Chrome profile, and Firefox and other browsers will detect&import it.
I was literally using Arc because of the ability to hide most of the userchrome.
Every time I open split views or tabs I curse. I've said this in the past but layering view multiplexors has to be the most stupid modern "super-user" trap. You have the ability to open multiple browser windows and composite them side by side, use it.
Does anyone know of any other browsers that are chromium based and have very little features aside the ability to hide most of the UI?
I also wrote a guide on ARC features that work better on Firefox: https://thannymack.com/#Arc%20features%20that%20work%20bette...
I agree & disagree.
Browsers are very important part of our life. If someone compromises our browsers , they basically compromise every single aspect of privacy and can lead to insane scams.
And because arc browser is new , they wanted to build fast and so they used tools like firebase / firestore to be capable of moving faster (they are a startup)
Now I have read the article but I am still not sure how much of this can be contributed to firebase or arc
On the following page from same author (I think) https://env.fail/posts/firewreck-1 , tldr states
- Firebase allows for easy misconfiguration of security rules with zero warnings
- This has resulted in hundreds of sites exposing a total of ~125 Million user records, including plaintext passwords & sensitive billing information
So because firebase advocates itself to the developers as being safe yet not being safe , I think arc succumbed to it.
firestore has a tendency to not abide by the system proxy settings in the Swift SDK for firebase, so going off my hunch,
Also , you say that you have been convinced to never use arc again.
Did you know that chrome gives an unfair advantage to its user sites by giving system information (core usage etc.) and some other things which are not supposed to be seen by browsers only to the websites starting with *.google.com ?
this is just recently discovered , just imagine if something more serious is also just waiting in the shadows Couldn't this also be considered a major security vulnerability just waiting to be happen if some other exploit like this can be discovered / google.com is leaked and now your cpu information and way more other stuff which browsers shouldn't know is with a malicious threat actor ?
I very much agree with the idea that browsers are security-sensitive software, unlike, say, a picture editor, and more like an ssh server. It should be assumed to be constantly under attack.
And browser development is exactly not the area where I would like to see the "move fast, break things" attitude. While firebase may be sloppy with security and thus unfit for certain purposes, I would expect competent developers of a browser to do due diligence before considering to use it, or whatever else, for anything even remotely related to security. Or, if they want to experiment, I'd rather that be opt-in, and come with a big banner: "This is experimental software. DO NOT attempt to access your bank account, or your real email account, or your social media accounts".
With that, I don't see much exploit potential in learning stats like the number of cores on your machine. Maybe slightly more chances of fingerprinting, but nothing comparable to the leak through improper usage of firebase.
hmm interesting. Other thing to add is if we treat it as a ssh server , we actually won't try to go out and break things.
But I think that was the whole point of arc , to break the convention and be something completely new
and I have a reason why
They were competing with the giants called google , safari , firefox which have insanely large funding and their whole point was trying to sell something later built on this arc browser.
and since chrome , firefox etc. don't try to come up with these ideas because well security reasons (which I agree to / as seen in the post)
I think arc wanted to seperate itself from chrome / firefox and that's why they became a bit reckless you could say since this exploit was available.
Also the other thing I want to convey , is that "With that, I don't see much exploit potential in learning stats like the number of cores on your machine"
this was only recently discovered. Just imagine the true amount of exploits in these proprietory solutions which we don't know about.
Yeh. Just like a ssh server , I would personally like the source code to be available but developing browsers is time consuming and money intensive for developers but ladybird exists , but its in beta.
that being said , not open source is also that private , (xz) , but atleast it got discovered way quickly and was able to mitigate it quickly
You do know that there are more than chrome and arc right?
I understand. I use firefox / earlier used librewolf
But a lot of people use chrome so I wanted to atleast try to give justification on why / how arc messed up so hard.
> Did you know that chrome gives an unfair advantage to its user sites by giving system information (core usage etc.) and some other things which are not supposed to be seen by browsers only to the websites starting with *.google.com ?
That's pretty interesting. Where can I learn more about this?
I recall there being a thread with way more discussion at the time, but I can't put my finger on that thread right now. This post has some information:
>>Did you know that chrome gives an unfair advantage to its user sites by giving system information (core usage etc.) and some other things which are not supposed to be seen by browsers only to the websites starting with *.google.com ?
Yeah so using chrome based browsers like Arc is giving more power to Google to do shady stuff while also being a victim of the third party unsafe code.
Thank you for sharing this. I have been using Arc since the first week of beta.
The fact that they don't even mentioned this bug/fix on any of their social media is quite alarming.
I enjoyed my time with Arc, but I can't possibly see myself continuing to use it after the way they handled this.
I'm in the same boat as GP. Was invited early, loved the Arc UX far more than any other browser. I've recommended it to many people.
As many other comments have pointed out, this vulnerability is such a rookie mistake that I don't think I can trust them again after this without understanding what factors in their security/engineering culture led to it. Patching this one issue isn't enough.
>Them acknowledging the issue, then fixing it within 28 hours isn't good enough for you?
Are you not concerned with the yet to be discovered vulnerabilities?
What is concerning is the nature of the vulnerability and how it speaks to their security culture (which is obviously non-existent). This also revealed that their privacy policy is pure marketing fluff, completely disconnected from (and, in fact, counter to) their actions.
If you are comfortable using a browser (probably the software with the largest risk and attack surface on your device) that had an embarrassingly rudimentary vulnerability, made by a company who lie about the most important promise of their privacy policy, then I've got a calculator app for you.
They afaik never said that they ‘fixed’ the issue where they’re sending Google your every visited url.
Where did they acknowledge the issue? There’s nothing about this issue on their website or their Twitter feed.
They only acknowledged the issue after the write up from the researcher and claimed they thought they didn't need to include it in the release notes because it was a "backend fix".
$2000 is an insulting amount for such a huge vuln
Judging by blog posts on HN, I got the impression that these vulnerabilities are often not rewarded at all, or rewarded by a minuscule amount. It almost seems like companies are begging hackers to sell these exploits. Perhaps because they aren't penalized by the regulator for breaches?
They offer a low price because the risk of tanking your career, landing yourself in jail, and the fact that the researcher probably doesn't know how to line up a sale means the company is the only buyer.
I would go the other way, companies offer low bug bounties because they don't want researchers to discover them in the first place. This looks terrible for Arc despite the fact if left undisclosed it probably would have continued to be unexploited for years to come.
Yeah, you have to have some solid backbone not to sell this off to some malicious party for 20-50x that amount...
Am I too optimistic? I feel like most regular people I know wouldn’t sell this off. Most people are not antisocial criminals by nature, and also wouldn’t know how to contact a “state actor” even if they wanted to.
> Am I too optimistic? I feel like most regular people I know wouldn’t sell this off.
Probably you're just used to a relatively good life, not a bad thing :)
Image being able to sell this off for $20,000 (although I think you could ask for more, seems to be a really bad vulnerability) in a marketplace, for >90% of the world that's a pretty good amount of money that you could survive a long time on or add a lot of additional quality to your life.
Arc is used disproportionately by users who work in tech which tend to be paid quite well.
Am I wrong in thinking that with this vuln you could drain any financial accounts that they log into Arc with? Or, if they use Arc at work, that you now have a way to exfiltrate whatever data you want?
A browser vuln is about as bad as an OS vuln considering how much we use browsers for.
Nice article, but this is hard to read without proper capitalization. My brain uses capitals to scan beginning and ending of text.
Young people (like me) use lowercaps like that all the time. Around 50% of the young people I know purposefully turn off auto-caps on their phone.
Why? I really couldn't say. I think we just like the feel of it. The only reason I type with proper capitalization on HN and my blog is because I know older people read it.
I’m middle-aged. I’ve noticed in the last few months more and more articles with this style. Something I’ve never seen before in blogging or article writing.
I usually notice the style at some point but this time I had no idea until this other commenter pointed it out. I guess I am getting acclimatized.
I was similarly fascinated by the stylistic choices made here. No capitalisation of even any names, no hyphen in a compound adjective, but dots and commas and spaces are deemed necessary, also before "and" where the word clearly acts as separator already. If you look at the waveform of speech, we have no spaces between regular words so, if they want to eliminate unnecessary flourishes... though perhaps (since text largely lacks intonation markers) that makes it too unreadable compared to the other changes. All this is somehow at least as fascinating to me as the vulnerability being described!
It’s just another dumb social media trend, like tYpiNg LiKe tHiS. Hopefully it too will phase out. Search for “lowercase trend” and you’ll find reports of it going years back, there’s nothing worth being fascinated about.
It has seeped into HN as well. Look closely and you’ll notice several commenters type like that.
I use it to indicate tone. Proper capitalization and punctuation reads with a formal, cold tone.
lowercase without caps reads with a warmer, informal tone
there’s a Tom Scott Language Files video documenting it: https://www.youtube.com/watch?v=fS4X1JfX6_Q
Social media? I remember people doing the lowercase thing back on IRC. It was an indicator of informality and "coolness".
If you were using Arc you could add a Boost for "Case: toggle between different capitalization settings - they will apply to all text on the webpage" [1]
/s
[1] https://resources.arc.net/hc/en-us/articles/19212718608151-B...
That's how you ruin a company reputation. Not saying it is or not deserved, but how could anyone trust a browser that had such a big security fail.
And what about all the other that have not been reported or may be exploited ?
From now on, every time someone is going to suggest arc browser, there will be another one to remind everyone of that. That's going to be very difficult to overcome when your software already doesn't have that big of a market share.
Instead of knee jerk firebase is bad, can we discuss how this could be abated properly with firebase rules for firestore?
Is this the rule that was missing for arcs boosts or whatever object?
```
match /objects/{object} {
// Allow create new object if user is authenticated
allow create: if request.auth != null;
// Allow update or delete document if user is owner of document
allow update, delete: if request.auth.uid == resource.data.ownerUID
}
Great research. As I've said elsewhere, Firebase's authentication model is inherently broken and causes loads of issues, and people would be better off writing a small microservice or serverless function that fronts Firebase.
Also, for anyone trying to read the article, they should put `/oneko.js` in their adblocker.
> Also, for anyone trying to read the article, they should put `/oneko.js` in their adblocker.
Only if you hate cats, pixel art, or are easily distracted.
It's really not hard to build this safely in firebase, this could've been authored the same way in node too. I think whoever authored this either majorly cut corners or just isn't experienced enough to understand how to write authenticated controllers like this. This should scare people away from this browser, it's such a basic thing to mess up and it shouldn't have happened.
The fact that clients write directly into the database and that it's widely encouraged.
There are security rules in Firebase to prevent this, but bolt-on security models that the user has to explicitly enable haven't shown to work.
I'm definitely not the target audience... Even after reading the faq I have no idea what it does
As a person that recently started using it: it has something like "tree style tabs", and sort of a hybrid merge of the concepts of tabs and bookmarks. In other words, the tabs work more like files on disk -- open/closed, sorted into folders. I'm probably not explaining it well either, but I encourage you to try it if you ever wanted to experiment with alternative tab management (tree style tab, tab groups etc). It's a concept that clicked for me quickly once I started using it, and now I'm angry since I want to use Firefox for philosophical reasons but don't want to go back to regular tabs.
Arc was recommended to me by a friend. I deleted upon finding out I needed an account to use it. The excuse Arc gives is in case you want to sync. I'm capable of opting into that.
It is remarkable that Arc has taken billions of dollars in VC cash but makes these rookie mistakes in securing their own backend that all of their users are accessing. Where are those billions of dollars going? Is it all just in marketing?
Probably the line of thinking is that security can be a back burner issue until product market fit is achieved.
Doesn't matter if you build the most secure product if nobody is using it, right? Where that breaks down is that a browser MUST be relatively secure, otherwise you've given up the whole ballgame.
I really enjoy Arc's approach to the browser interface, but I am kind of shocked that it requires firebase at all. It touts privacy, but we have to log in, and our data is being stored in a BAAS owned by Google. It would have been SO much simpler to make it so that data is owned by the user and stored on disk. At MOST, maybe a paid syncing feature would require an external database. A takeover path like this is a big deal, but as the author pointed out, you stored URL browsing data for boosts. "Privacy first" browser's are marketing jargon today, and that sucks.
> "Privacy first" browser's are marketing jargon today
A glance at Arc's privacy policy makes it clear they aren't privacy anything [1]. (Contrast their device and product usage data sections with Kagi's [2].)
[1] https://arc.net/privacy#what-personal-data-do-we-collect-and...
[2] https://help.kagi.com/orion/privacy-and-security/respecting-...
the developers working with firebase should enforce common-sense document crud restrictions in the rules. that's just how firebase is. everyone knows it.
now, when talking about ARC BROWSER, i am seriously starting to doubt the competence of the team. I mean, if the rules are broken (no tests? no rules whatsoever?), what else is broken with ARC? are we to await a data leak from ARC?
any browser recommendations with proper vertical tabs and basically everything working like it does in ARC?
Did you took a look at the zen browser? It's an arc clone based on Firefox https://zen-browser.app/
I did. It’s like 20 % an Arc clone, and 80 % of UX papercuts. Like, you can’t have ‘add tab’ button on top when the new tab gets added to the bottom. Or that one sidebar button opens a side window to the right of the sidebar, while another below it opens the favorites to the left and moves the whole sidebar from underneath your mouse.
Looks like a minimal effort css restyle of Firefox.
nice. will probably try it in the future.
but the for-some-reason-not-obvious revelation that it's just a product that some team somewhere is working on and the fact that a browser is an important piece of software brought me back to safari (not sure if joke's on me, but in this case I trust apple engineers to do a more thorough job in ensuring my data is secure).
It's not in Alpha though, they've been around for years and have launched formally.
Brave. Vertical tabs, privacy, everything sync is e2ee (unlike eg. Edge).
Vivaldi may also be worth a look. Similar setup: User-oriented team, vertical tabs, e2ee sync. If you like a thorough browser history, I think Vivaldi keeps a more detailed browsing history than most other Chromium browsers.
Brave is VC funded and needing to extract a billion of value. Just like Arc.
It would be nice if I could download a version of the Arc browser with the cloud bits removed. I use it because of the UI/UX and pretty much ignore everything else. Really if there was a browser that let me keep organized spaces in a left panel plus create split screen views then it would immediately convince me to switch from Arc.
I know about Zen and Floorp. For my day to day browsing Arc has:
# Split screen tabs
Zen and Floorp both have this but the UX for both is really clunky. Surely they'll improve but Arc felt like second nature.
# Little Arcs
As far as I know, neither Zen or Floorp have this feature and if they do then the UX is not as obvious as Arc. The UX around Little Arcs is almost perfect. If I click on a link, it opens as a modal that I can expand to its own tab if I need or dismiss by just clicking away. The same things happens in other apps so I don't lose context just because I wanted to look at a link quick. If I do want to bring that tab into a space then it's 1-2 clicks away. My only gripe with this is that the Little Arcs that are created from clicking links in other apps don't auto dismiss if you change focus but this might just be a setting I don't have configured.
# Inset meetings/videos
AFAIK neither has this feature either. Having videos that are playing just seamlessly pop-up picture-in-picture when navigating away from the video tab is useful enough but the meeting feature is key for me because my company uses Google Meet. I can navigate away from meetings to look-up info/check Slack/etc without losing focus on the meeting itself and getting back to the meeting tab or unmuting myself is 1 click away.
Sure all of these things could probably be accomplished by browser extensions but I think the UI/UX within Arc is pretty tough to compete with.
while researching, i saw some data being sent over to the server, like this query everytime you visit a site
I'm not surprised in the least --- basically the vast majority of software these days is spyware. Looking at Arc's privacy page, it appears to be mainly marketing fluff similar to what I've seen from other companies. I have yet to find a privacy policy that says frankly "we only know your IP and time you downloaded the software, for the few weeks before the server logs are overwritten."
Seeing "privacy focused" in any sort of mission statement is almost becoming an indicator of the opposite (I'm sure there's a word for this)
I'd rather a company have simple goals that can be explained in a sentence or two. No hand wavey BS like "we care about your privacy"
> I have yet to find a privacy policy that says frankly "we only know your IP and time you downloaded the software, for the few weeks before the server logs are overwritten."
Not with those exact words, but that’s Alfred. Server connections are done only to validate the license and check for updates, and you can even disable that.
https://www.alfredapp.com/terms/
> Alfred only contacts our server when activating your Powerpack license in order to validate it, as well as periodically checking for new software updates. You can disable the software update check in the Update preferences, but we recommend keeping this enabled to ensure that you always have the latest version for security reasons and to make the most of the awesome new features!
According to their blog post https://arc.net/blog/CVE-2024-45489-incident-response they fixed it:
> We’ve fixed the issues with leaking your current website on navigation while you had the Boost editor open. We don’t log these requests anywhere, and if you didn’t have the Boosts editor open these requests were not made. Regardless this is against our privacy policy and should have never been in the product to begin with.
> i discovered that there was a arc featured called easels, easels
> are a whiteboard like interface, and you can share them with people,
> and they can view them on the web. when i clicked the share button
> however, there was no requests in my mitmproxy instance, so whats
> happening here?
I thought this was novel, and assumed it was just something to do with websockets, so I switched to another, non-firebase-but-yes-websockets project and noticed it didn't work.
At the time, I debated moving calls to Firebase just so that I could work for free while I was on flights, but realized the ROI wasn't remotely there. Glad to finally have someone else acknowledge it happening, and give some insight as to why.
Fascinating vulnerability, and a fascinating way to catch it. Kudos.
BTW, on Arc's website on "Security" there still is no mention of this vulnerability (as of 20th Sep 2024, 2:32 pm PT)
Check it out - https://arc.net/security
Apparently the company had contracted with one Latacora for "regular outside security reviews and trainings across a wide range of different systems".
Elsewhere on the page, it says "Arc uses GCP Firebase for user authentication, storage for Notes & Easels, and Cloud Functions for certain application features like referral code generation. All data stored in Firebase is encrypted-at-rest by default."
The security page explicitly claims that Arc doesn't log what you're doing, giving URLs as an example, but this vulnerability claims every URL is being sent up to Firebase.
User identity must be derived from security context, typically at the edge of the system.
But it’s so much easier for developers to think of userid as just another parameter, and they forget, and oops now they trust a random user-supplied parameter.
For some time I asked why doesn't Arc let me sync my passwords.
After seeing this level of incompetence, I am happy they didn't attempt that.
Yet.
I wish we didn't have to sign up to use a browser in the future
Always been weird how this requires an account.
Also the forum shills are worse than Brave ones.
The firebases and the supabases of the world are crazy to me to build your company on. You are asking for trouble and anchoring your entire company on the health of one saas that is hooked into the foundational aspects of your application!
also it's so incredibly easy to really fuck up and build something exploitable.
are javascript devs really that afraid of doing things themselves to this extreme level?
What about S3, you don't really need a file storage provider either?
> are javascript devs really that afraid
You might be afraid of JS devs :P Anyway has nothing to do with language, even if it was a super c0ol Ruby-on-Rails app with Active Record and SQL db on a server you manage it's still common to have some stuff in NoSQL for fast access to live data, caches, logs, etc. Most companies at scale will have both SQL and NoSQL dbs in areas. So if you're already using S3 for files, code on GitHub, storing keys in 1Pass, why not use a Firebase or MongoDB for high traffic live data? Especially if they offer built-in scaling and geo deploy options.
This scenario I laid out is kinda to your point of "don't anchor your entire company on it" - the only point I'm trying to add is that you can also use these tools without the company being "anchored" on it, and they could have still ran into the same issue as Arc.
I mentioned javascript because I mostly see that cohort jump feet first into services like firebase/supabase/clerk/vercel/etc.
We looked into supporting Arc at work, unfortunately Arc is missing lots of basic security controls which are available in many other Chromium and non-Chromium browsers, these include:
+ The ability to enforce automatic updates + Ability to control which sites extensions/boots are installed on
On top of this there seems to be no way to remove the requirement to have an account to use the browser, selectively choose what data is sent/sync'd from Arc, or disable basic features like Easel through which staff accidentally leak data.
The UI for the browser is great, but Arc really needs to lay the groundwork for strong security controls or it'll struggle to gain (or even maintain) a foothold in the enterprise space.
This is a nice investigation and a great read. Sad that they don't normally do bug bounties. $2000 seems small considering the severity of this vulnerability. Though I guess the size and finances of the company is a factor. It takes some serious skills, effort and luck to discover something like that. It should be well compensated.
> firestore has a tendency to not abide by the system proxy settings in the Swift SDK for firebase, so going off my hunch, i wrote a frida script to dump the relevant calls.
As someone who has done some reverse engineering of macOS apps but haven't used anything beyond Charles' macOS proxy feature, this looks very painful. Is there a proxy app that maybe acts as a VPN so that basically every HTTP request is guaranteed to go through it, so that you don't need to write a hundred lines of bespoke Frida just to capture requests?
Edit: On second thought Proxifier should work for this purpose.
To add to u/ibash's comment, mitmproxy correctly implements a macOS network extension: https://mitmproxy.org/posts/local-redirect/macos/
I assume you'll have to install a root cert in order to introspect HTTPS traffic though.
I know Firebase is awesome for plenty of reasons. And I’m not disparaging anyone who works hard on it. There’s a ton of great software behind the product.
Unfortunately it’s at the root of almost all of my career’s worst bugs and mistakes (not necessarily caused by me), and it seems like a bit of train wreck in the wrong hands. I’ve had to rescue several clients from it, and have migrated three pretty huge applications off of it now.
I’m not sure what it is exactly. People really abuse the hell out of it.
Yes it's a new browser who tries to change the UX from traditional browsers: https://arc.net/
I just want to say that Firebase security rules deny every operation by default. An empty rules file allows nothing.
The devs that wrote these rules had to intentionally allow overly broad reads/writes to this part of their database in order to create this vulnerability. And this had to pass code review and automated testing.
That’s not good, and it has nothing to do with their choice of tools.
Oop and I just convinced my wife and brother to move over :o
Props to her, she asked about the security and privacy of the browser and I played it off with some fanboy propaganda. Lesson learned on that one. If I only care about the vertical tabs, workspaces, and a (decent) mobile app are there any good equivalents right now?
> If I only care about the vertical tabs, workspaces, and a (decent) mobile app are there any good equivalents right now?
I use Firefox mostly because of Sideberry (which does vertical tree-style tabs) which also integrates with "containers", so you can have something similar to workspaces but more isolation. Otherwise there is also "profiles" that probably offer even more isolation between the different profiles.
Firefox with extensions? The current vertical tabs extensions are not nearly as nice, but Mozilla is working on native vertical tabs. Syncing and Workspaces are already better with Firefox then with Arc.
I use Firefox with Sidebery for vertical (specifically, tree style) tabs, plus a userChrome.css to hide the native horizontal tabs. Firefox has mobile apps, and the Android app supports (some) browser extensions.
It works, it's boring, and it doesn't try to shove gimmicky features in my face.
Very small bounty, but I honestly believe this arc thing won’t last long…
Browsers are hard and my only choice has been chrome and will remain so for the long foreseeable future.
When I was younger I would enjoy switching to firefox, opera, etc..
But I always came back to chrome because it just worked and always performed when I needed.
Chrome/chromium is the safest browser.
People tend to fall for the shiny new thing and then realize it was just hype.
Please be very careful about what software you choose to perform most of your activities.
The same applies to these “new ai IDEs” that keep popping up every other say.
…Firefox as an alternative to Chrome!? Am I really that old!?
I used Chrome for years and years, right from when it first came out. Since then, I switched back to Firefox, and have used it for years. It works perfectly fine.
Browser is an user agent. Chrome is an advertisement company agent running on your PC, collecting data for that advertising company.
People often confuse these two, but they’re the polar opposites.
> Chrome/chromium is the safest browser.
Why do you say that?
1. Chrome's security team has a very good reputation.
2. I don't know how accurate it is in 2024, but there are comparisons like https://madaidans-insecurities.github.io/firefox-chromium.ht... out there.
https://www.mossad.gov.il/contact-us/en
Interestingly enough, contains a field for entering your Father's name (but not your mother's).
Yikes.
I tried Arc a while ago but switched back to Chrome. Quite glad I did now.
Yeah with this and the privacy zinger at the end its definitely time my monthlong experiment with arc comes to a close. Too bad that the thing theyre actually proud of, the tabbing UX, was actually really good.
>privacy concerns >while researching, i saw some data being sent over to the server, like this query everytime you visit a site:
> firebase .collection("boosts") .where("creatorID", "==", "UvMIUnuxJ2h0E47fmZPpHLisHn12") .where("hostPattern", "==", "www.google.com");
> the hostPattern being the site you visit, this is against arc's privacy policy which clearly states arc does not know which sites you visit.
seems like it is the case: https://news.ycombinator.com/item?id=41601332
Yea if everything else is not enough of a red flag here, the fact that they are sending every single website you visit to Firebase — against stated privacy policies — is the mother of all red flags.
People say they like arc for the UI and there are all alternatives, but do you really want to risk someone stealing your bank creds and stealing all your money for some fancy UI?
https://www.crunchbase.com/organization/the-browser-company/...
> Total Funding Amount $68M
the browser company normally does not do bug bounties, but for this catastrophic of a vuln, they decided to award me with $2,000 USD
I'm struggling to put into words how disappointing I find this.
I've got a different take. If they're in the VC phase, that means they are not self sufficient. The amount of funding that they've raised is no indication what-so-ever of a) how much of that funding has actually been realized / received b) what their overhead is and c) what their overall financial picture looks like.
I do wish that more companies would take privacy and security seriously. And bug bounty programs are great. But they're not always within the budget of companies and the fact that they decided to award this security researcher regardless of having no such program is a massive win in my opinion and shows how much they value this particular contribution.
Thanks for the reply! I think I disagree with you, mostly because it seems like this particular bug could have been company-destroying because of the potential reputation hit if it was exploited on a wide scale.
But regardless, I appreciate your perspective and it gives me some stuff to consider I hadn't previously.
I think we all know that tech debt often lives forever, so if you're going to start a browser company, you simply must be thinking about security/privacy from day one. If the VC model doesn't make that possible, then the only reasonable conclusion is that browsers shouldn't be a thing that VC funded startups work on.
I appreciate your response, and largely agree with you. But you can take security seriously without having a program in place to pay non employees for work they did without you asking them to.
Also, while I love companies that have bug bounty programs... I don't think any company without such a program is under any obligation to pay someone just because they volunteered their time without the company knowing about it or soliciting the work in any way.
So the fact that they did in this case, despite having no program, is what I'm choosing to focus on.
I want to share a personal anecdote to put my opinion into more perspective. I owned a small business operating a for-profit website for 18 years, for 15 of those years it was my primary source of income. I had no employees other than myself. It was just me on my own working from home. I earned enough to pay the bills, but I'm currently earning 2x what my business earned at its peak traffic by being an employee. So it's not like I had money to be paying people... it was pretty much an average software engineer's salary in terms of what I brought in.
Anyway, over those 18 years I had a few dealings with some white-hats who were very nice and clued me in to some issues. I thanked them and when they politely asked if "we" (because they didn't know any better) had a program it was a non-issue when I explained that I'm too broke as a one-person shop trying to feed a family to be paying out anything substantial but I could PayPal a cup of coffee or something for their trouble. But then I had a few dealings with complete shady assholes who tried to extort money out of me by threatening to exploit what they had found and go public and basically drag my reputation through the mud.
Experiences with the latter group make me sympathize a lot more with companies that decide to have a policy of just blanket not dealing with outside security researchers, to take the information and then deal with the fixes internally and quietly.
This is 100% company culture, probably the ones that decide this kind of things are not technical or don't understand how important is this.
They disclosed the vulnerability directly to the co-founder CTO.
> the timeline for the vulnerability:
> aug 25 5:48pm: got initial contact over signal (encrypted) with arc co-founder hursh
> aug 25 6:02pm: vulnerability poc executed on hursh's arc account
Arc is a great product, it's the nicest web browser to use, you can tell these people are really good at their jobs in many respects (though apparently not security?!?). probably a lot of investors saw that too and are willing to fund a very strong team with the hope of eventual product-market fit.
Every single thing I've heard about Arc browser has been a massive red flag. Turns out it was even worse than I thought!
I’m ashamed I fell for Arc and even recommended it to my friends, as someone whose job is exactly this but with Android apps :(
> They claim so much and their browsers' code is 100% proprietary
Far from me to defend Arc (I dislike it for several reasons) but it’s based on Chromium so it’s far from 100% proprietary. Don’t Edge, Vivaldi, and even Chrome have proprietary layers on top of the open-source Chromium?
I read this from another source and I was a substantial way into it before it became obvious what Arc is.
Blog authors: stop assuming I know about the existence of every piece of software.
(also maybe occasionally consider using the Shift key on your keyboard so you can capitalise things :)
The dog is actually a cat named Neko.
Good pun :)
HN tends to be a little hard on brief comments. My current understanding is that comments with little substance are totally acceptable provided they're good natured.
For example this comment by dang "There's nothing wrong with submitting a comment saying just "Thanks."" https://news.ycombinator.com/item?id=37251836.
Also from the guidelines "Comments should get more thoughtful and substantive, not less, as a topic gets more divisive": this post's topic doesn't likely qualify as divisive.
Damn, that is bad. While I enjoyed reading through the write-up, I think a "summary section" at the top would have benefited me lol.
Someone recently recommended Arc to me, I installed it on my macbook and then never actually used it when I realized there's no Linux version available, and I like a consistent browser experience across all my devices.
You can use some Arc AI features to summarize it for you :)
There are a lot of major security vulnerabilities in the world that were made understandably, and can be forgiven if they're handled responsibly and fixed.
This is not one of them. In my opinion, this shows a kind of reputation-ruining incompetency that would convince me to never use Arc ever again.