Comment by ha470

Comment by ha470 10 months ago

120 replies

View on Hacker News

I’m Hursh, cofounder and CTO of The Browser Company (the company that makes Arc). Even though no users were affected and we patched it right away, the hypothetical depth of this vulnerability is unacceptable. We’ve written up some technical details and how we’ll improve in the future (including moving off Firebase and setting up a proper bug bounty program) here: https://arc.net/blog/CVE-2024-45489-incident-response.

I'm really sorry about this, both the vuln itself and the delayed comms around it, and really appreciate all the feedback here – everything from disappointment to outrage to encouragement. It holds us accountable to do better, and makes sure we prioritize this moving forward. Thank you so much.

ayhanfuat 10 months ago

Was the post written for HN users only? I cannot see it on your blog page (https://arc.net/blog). It’s not posted on your twitter either. Your whole handling seems to be responding only if there is enough noise about it.

Reply View 26 replies
  • sushid 10 months ago

    Hursh, can you please respond to the above commenter? As an early adopter, I find it fairly troubling to see a company that touts transparency hide the blog post and only publicly "own up to it" within the confines of a single HN thread.

    Reply View 11 replies
    • ha470 10 months ago

      We’re working on a proper security bulletin site that will have these front and center! This was a bit of a stopgap for now.

      Reply View 9 replies
      • xelamonster 10 months ago

        Security bulletin is posted up top on the blog page now, but I have to say it doesn't exactly give me a warm and fuzzy feeling.

        It falls a bit flat for me where you address the tracking of domains visited by users, I don't think this accurately addresses or identifies the core issues. When you say "this is against our privacy policy and should have never been in the product to begin with"--okay, so how did get there? This wasn't a data leak due to a bug it was an intentionally designed feature that made its way through any review process which might be in place to production without being challenged. What processes will you put in place to prevent future hidden violations of your stated policies?

        Edit just to say, dubious as I am I sincerely hope Arc can overcome these issues and succeed. We desparately need more browsers, badly enough that I'll even settle for a Chromium-based one as long as it isn't made by Microsoft.

        Reply View 0 replies
      • zamadatix 10 months ago

        Right now You and Arc are advertising it's ideal to position posts such as "Hidden Features in Arc Search" to users but security bulletins and remediations are something that need a hidden stopgap until you've scrambled to build an alternative site to hide them away at instead.

        Browser security is more than finding the best PR strategy, it's a mindset that prioritizes the user's well being over the product's image. I've deleted my account and uninstalled Arc. Not because of the issue in itself, but because it's clear what the response has been aiming to protect (not my data).

        Reply View 6 replies
      • [removed] 10 months ago
        [deleted]
        Reply View 0 replies
    • wahnfrieden 10 months ago

      Pretty obvious now that Arc will only share security alerts with the people who "catch" them at it - as few as possible

      Leaves no choice but for this community to make the rest of the Arc community aware of it as they refuse the transparency

      Reply View 0 replies
  • titaniumtown 10 months ago

    Not a good look it not being on the main page! I personally use [zen browser](https://github.com/zen-browser/desktop); I like the ideas of Arc, but it always seemed sketchy to me, especially it being Chromium-based and closed-source.

    Reply View 12 replies
    • zamadatix 10 months ago

      Heads up: HN doesn't support link naming markdown and some of the extra characters broke the hyperlink.

      In case the parent can't fix it in time for the edit window: https://github.com/zen-browser/desktop

      Reply View 3 replies
      • apitman 10 months ago

        I wouldn't be surprised if some HN client apps support markdown.

        Reply View 2 replies
    • footy 10 months ago

      I used Arc for a while because despite my misgivings about using a browser that requires an account etc the workflow was very good for me

      I started moving to Zen about a week ago, hearing about this vulnerability yesterday and especially seeing their reaction to it I know I made the right choice in leaving Arc.

      Reply View 0 replies
    • gukkey 10 months ago

      The only feature Zen browser missing is tab folders, once they implement it I really don't have a reason to have Arc browser anymore.

      Reply View 5 replies
      • GreenWatermelon 10 months ago

        Hell despite missing tab groups, Zen browser is the only browser that finally had a "good enough" vertical tabs implementation, which allowed me to finally drop Edge as my main browser.

        Reply View 4 replies
    • zem 10 months ago

      zen looks really nice! thanks for the pointer.

      Reply View 0 replies
  • [removed] 10 months ago
    [deleted]
    Reply View 0 replies
tomjakubowski 10 months ago

Hi Hursh, I'm Tom. A couple friends use Arc and they like it, so I had considered switching to it myself. Now, I won't, not really because of this vulnerability itself (startups make mistakes), but because you paid a measly $2k bounty for a bug that owns, in a dangerous way, all of your users. I won't use a browser made by a vendor who takes the security of their users this unseriously.

By the way, I don't know for sure, but given the severity I suspect on the black market this bug would have gone for a _lot_ more than $2k.

Reply View 17 replies
  • poincaredisk 10 months ago

    Selling vulnerability on the black market is immoral and may be illegal. The goal of bug bounty programs was initially to signal "we won't sue white hat researchers who disclose their findings to us", when did it evolve into "pay me more than criminals would, or else"?

    Reply View 8 replies
    • tolmasky 10 months ago

      Let's set aside morality for a second. There is a reason low payouts are bad without even having to consider the black market: it pushes people to search for bugs in a competitor's app that pays more instead of in your app!

      If your app is paying out $2K and a competing app pays out $100K, why would anyone bother searching for bugs in your app? Every minute spent researching your app pay 1/50th of what you'd get searching in the competing app (unless your app has 50x more bugs I suppose, but perhaps then you have bigger problems...).

      I'm always so confused by the negative responses to people asking for higher bug bounties. It feels like it still comes from this weird entitlement that researchers owe you the bug report. Perhaps they do. But you know what they definitely don't owe you? Looking for new bugs! Ultimately this attitude always leads to the same place: the places that pay more protect their users better. It is thus completely reasonable to decide not to use a product as a user if the company that makes the product isn't paying high bug bounties. It's the same as discovering that a restaurant is cheeping out on health inspections and deciding to no longer eat there.

      Reply View 7 replies
      • voidwtf 10 months ago

        Bug bounties are always in relation to severity, number of users potentially at risk, and market cap. A browser operating at a deficit from a small company with a small market share cannot pay 100k even if they wanted to.

        If you and a couple friends released an app that had 50k users and you’d not even broken even, can I claim my 100k by finding a critical RCE?

        Reply View 5 replies
      • xelamonster 10 months ago

        Right, part of the idea is to close the gap in incentives for white hats looking for vulnerabilities to report and black hats looking for the same to exploit. You don't have to beat the black market price of a vuln because that route is much riskier, but somewhere at least in the same order of magnitude sounds decent.

        It's not about viewing security researchers as sociopaths who will always sell to the highest bidder, the fact is there will always be criminals going for exploits and bug bounties can help not just by paying off someone that would have otherwise abused a bug but also by attracting an equally motivated team who would otherwise be entirely uninvolved to play defense.

        Reply View 0 replies
  • JumpCrisscross 10 months ago

    > because you paid a measly $2k bounty for a bug that owns, in a dangerous way, all of your users

    The case is redeemable. It may still be an opportunity if handled deftly. But it would require an almost theatrical display of generosity to the white hat (together, likely, with a re-constituting of the engineering team).

    Reply View 0 replies
  • ljm 10 months ago

    You have no idea but you suspect someone could have made more?

    Reply View 2 replies
    • xelamonster 10 months ago

      After thinking about it for a good long ten seconds, yeah. It would be very easy to steal users' banking information with this. If you crack into one single bank account you have a decent shot at making over $2k right there, a skilled hacker could do a lot more.

      Reply View 0 replies
  • tengbretson 10 months ago

    So you're not going to use Arc. How much do you pay for the browser you do use?

    Reply View 2 replies
    • lytedev 10 months ago

      Statistically, Tom is using a browser that cost him $0. Why are you asking?

      Reply View 0 replies
  • keepamovin 10 months ago

    Should have at least paid €1 per user. Eh, maybe that’s what they did?

    Reply View 0 replies
rachofsunshine 10 months ago

Comments further down are concerned that on each page load, you're sending both the URL and a(n identifiable?) user ID to TBC. You may want to comment on that, since I think it's reasonable to say that those of us using not-Chrome (I don't use Arc personally, but I'm definitely in the 1% of browser users) are likely to also be the sort of person concerned with privacy. Vulnerabilities happen, but sending browsing data seems like a deliberate design choice.

Reply View 1 reply
  • mthoms 10 months ago

    I think that is addressed in the post. Apparently the URL was only sent under certain conditions and has since been addressed:

    >We’ve fixed the issues with leaking your current website on navigation while you had the Boost editor open. We don’t log these requests anywhere, and if you didn’t have the Boosts editor open these requests were not made. Regardless this is against our privacy policy and should have never been in the product to begin with.

    Given the context (boosts need to know the URL they apply to after all) this indeed was a "deliberate design choice" but not in the manner you appear to be suggesting. It's still very worrisome, I agree.

    Reply View 0 replies
tyho 10 months ago

There isn't really anything you can do to convince me that your team has the expertise to maintain a browser after this. It doesn't matter that you have fixed it, your team is clearly not capable of writing a secure browser, now or ever.

I think this should be a resigning matter for the CTO.

Reply View 15 replies
  • avarun 10 months ago

    And what, you’re going to find them a new CTO? What kind of magical world do you live in where problems are solved by leaders resigning, instead of stepping up and taking accountability?

    Reply View 8 replies
    • smt88 10 months ago

      Taking accountability can and should include admitting you're the wrong person for the job and resigning.

      Reply View 4 replies
      • radicaldreamer 10 months ago

        CTO is simply a title, the proper response here would be to hire a head of security and build it into the culture from the ground up.

        I'm looking at all of the Arc Max features which probably need to be architected correctly to be secure/privacy-preserving.

        They could take a lot of inspiration from iCloud Private Relay and iOS security architectures in addition to really understanding the Chrome security model.

        Reply View 3 replies
    • strunz 10 months ago

      What kind of accountability is it when there's no personal consequences?

      Reply View 0 replies
    • [removed] 10 months ago
      [deleted]
      Reply View 0 replies
    • yas_hmaheshwari 10 months ago

      Yeah, I also think that asking someone to resign for this does not look like a proportionate response

      They are owning up to their mistakes and making sure such things don't happen again (and increasing the amount from 2K :-)) seems like the right approach to me

      Reply View 0 replies
  • pembrook 10 months ago

    Surprise surprise, turns out it takes a looong time for every software startup to finally strip out all the hacky stuff from their MVP days. Apparently nobody on this startup community forum has ever built a startup before.

    Pro tip: if stuff like this violently upsets you, never be an early adopter of anything. Wait 5-10 years and then make your move.

    Personally, I expect stuff like this from challenger alternatives, this is the way it should be. There is no such thing as a new, bug-free software product. Software gets good by gaining adoption and going through battle testing, it’s never the other way around like some big company worker would imagine.

    Reply View 4 replies
    • thruway516 10 months ago

      I don't think you understood the severity or the noobiness of the error. This is a browser not a crud app or electron app. A browser is a complex system level piece of software not a hacky mvp and this kind of error shows that maybe they don't have the competence to be building something like this. It makes you wonder what other basic flaws are there just waiting to be exploited, even if its built on top of chromium. Would you fly in an mvp airplane built by bicycle engineers? (maybe not the best analogy since the first airplane was built by bicycle engineers)

      Reply View 2 replies
      • pembrook 10 months ago

        Agreed, I wouldn’t have hopped on the first airplane with some bicyclist named Wilbur. That would involve risk of immediate physical harm.

        On the other hand, we’re talking about a 2 year old browser leaking what websites you visit. Do you also think Firefox in 2006 was bulletproof? The entire internet and every single OS & browser was a leaky bucket back then.

        The current safety-ism, paranoia and risk-aversion around consumer software on this forum is hilarious to me. Maybe they shouldn’t have called this place “Hacker” news, because it’s now full of people LARPing as international intelligence agency targets from a 90s movie. If the prying Five Eyes are such a concern for you, maybe use a fake email when signing up for stuff and your browser history is instantly anonymized.

        Yes, startups involve lots of risk (to everyone involved, users/employees/founders/investors). But risk is the only way we get new things. If you those risks are too scary for you, stay far away startups.

        Reply View 1 reply
        • thruway516 10 months ago

          You're speaking in bland hand-wavy generalities and like I said before I'm not sure you understood the issue or even read the write-up since you're not really addressing it specifically (it's a whole lot more than 'leaking'). To extend the analogy, this is like having bike engineers build an mvp supersonic jet and you find out they are using bike brakes to stop the thing. Its not even just merely an error its about some very questionable architecture. This is not a mozilla innovating the browser and making the mistakes you get when you're experimenting-and-innovating-something-new type situation at all and it has nothing to do with paranoia or five-eyes lol.

          Reply View 0 replies
  • Insanity 10 months ago

    Well, the current team perhaps.

    But it's also likely part of the startup mentally of "move fast and break things", which is not entirely compatible with the goal of the browser.

    Reply View 0 replies
bloopernova 10 months ago

Will you be increasing the bug bounty payout? $2,000 is a tiny fraction of what this bug is worth, I hope you will pay the discoverer a proper bounty.

You've been handed a golden opportunity to set the right course.

Reply View 16 replies
  • JumpCrisscross 10 months ago

    > $2,000 is a tiny fraction of what this bug is worth

    The Browser Company raises $50mm at a $550mm post-money valuation in March [1]. They’ve raised $125mm altogether.

    Unless they’re absolute asshats, they’ll increase the bug payout. But people act truly when they don’t think they’re being watched—a vulnerability of this magnitude was worth $2k to this company. That’s…eyebrow raising.

    [1] https://techcrunch.com/2024/03/21/the-browser-company-raises...

    Reply View 8 replies
    • shuckles 10 months ago

      "We will let anyone run arbitrary JavaScript on all your web pages if you send them a referral link" is surely a 6-7 figure vulnerability for a web browser. That this vulnerability was discoverable using about two steps of analysis tools suggests many more issues are in the product.

      Reply View 5 replies
      • rafram 10 months ago

        Not just that - seems like it allowed running privileged JavaScript (full access to your system) on the preferences page as well.

        Reply View 4 replies
    • behringer 10 months ago

      It doesn't matter what bug bounty pay pay. If it was 200k people would say it's not enough.

      Reply View 0 replies
  • Laaas 10 months ago

    Any new vulnerability will be sold to the highest bidder and/or exploited instead of being reported for the bug bounty because of this.

    Reply View 4 replies
    • poincaredisk 10 months ago

      Most of the vulnerabilities I've disclosed, and I've seen disclosed, were disclosed for free, with no expectation of getting anything. Why do you think every researcher is an amoral penny pincher who will just sell exploits without caring for the consequences?

      Reply View 2 replies
      • Novosell 10 months ago

        Wanting money to live = penny pinching. Very cool.

        Reply View 0 replies
    • UncleMeat 10 months ago

      I know a lot of different people who do independent security research and have submitted vulns to bounty programs. Not a single one would even come close to saying "well, the bounty is low so I'll sell this on the black market."

      Low bounties might mean that somebody doesn't bother to look at a product or doesn't bother to disclose beyond firing off an email or maybe even just publishes details on their blog on their own.

      Bounties aren't really meant to compete with black markets. This is true even for the major tech companies that have large bounties.

      Reply View 0 replies
  • [removed] 10 months ago
    [deleted]
    Reply View 0 replies
qwertox 10 months ago

> including moving off Firebase

Firebase is not to blame here. It's a solid technology which just has to be used properly. Google highlights the fact that setting up ACLs is critical and provides examples on how to set them up correctly.

If none of the developers who were integrating the product into Arc bothered about dealing with the ACLs, then they are either noobs or simply didn't care about security.

Reply View 1 reply
  • com2kid 10 months ago

    Saying Google provides examples of being rather nice about it.

    Firebase ACLs are a constant source of vulnerabilities largely because they are confusing and don't have enough documentation around them.

    Reply View 0 replies
tanx16 10 months ago

> We’re also bolstering our security team, and have hired a new senior security engineer.

Is there a reason why you don’t have any security-specific positions open on your careers site?

Reply View 1 reply
  • ha470 10 months ago

    We did but we closed the roles by hiring folks. They just haven’t joined yet.

    Reply View 0 replies
zo1 10 months ago

Until this individual comes back and responds to at least a few of the questions/comments, I don't think we should even pay attention to this marketing-dept-written post. They basically want this to go away, and answering any questions would raise more issues most likely, so they just seemed to have done the bare minimum and left it at that. It's 3 hours later now, they might as well have not even posted anything here.

Reply View 0 replies
exdsq 10 months ago

$2000 is an absurdly small bounty here - you should up that

Reply View 6 replies
  • radicaldreamer 10 months ago

    50k or 100k would be far more appropriate given the severity of this issue. But overall, this makes me think there's probably a lot more vulnerabilities in Arc that are undiscovered/unpatched.

    Also, there's the whole notion of every URL you visit being sent to Firebase -- were these logged? Awful for a browser.

    Reply View 1 reply
    • [removed] 10 months ago
      [deleted]
      Reply View 0 replies
  • ha470 10 months ago

    Ya this is fair! Honestly this was our first bounty ever awarded and we could have been more thoughtful. We’re currently setting up a proper program and based on that rubric will adjust accordingly.

    Reply View 3 replies
    • ARandomerDude 10 months ago

      > Honestly this was our first bounty ever awarded and we could have been more thoughtful

      That’s corporate speak for “no, we won’t pay the researcher any more money.”

      Reply View 0 replies
    • karlzt 10 months ago

      $200k for this big bug.

      Reply View 1 reply
      • karlzt 10 months ago

        My comment has been downvoted twice, but I don't see it grayed out, I wonder why.

        Reply View 0 replies
FleetAdmiralJa 10 months ago

I think the bigger question is: Why are you violating your own security policy by keeping track on what we browse. I though my browsing is private and hidden away from you but if you store my browsing data in your firebase this is not acceptable at all.

Reply View 0 replies
liendolucas 10 months ago

> "...the hypothetical depth of this vulnerability is unacceptable."

What is also unacceptable is to pay 2000 dollars for something like this AND have to create user accounts to use your browser. Will definitely stay away from it.

Reply View 0 replies
_kidlike 10 months ago

no mention of the pitiful bounty reward (2000 usd). only sorry and thanks. Please award this person a proper bounty.

Reply View 0 replies
__turbobrew__ 10 months ago

Are you going to address the part where you send visited websites to Firebase which goes against your privacy policy of not tracking visited URLs?

Reply View 0 replies
markandrewj 10 months ago

I would like to respectfully provide the suggestion of allowing for the use of Arc without being signed into an account. Although I understand browser/device sync is part of most modern browsers, and the value it provides, normally it is a choice to use this feature. Arc still provides a lot of attractive features, even without browser sync on.

Reply View 0 replies
benreesman 10 months ago

I like Arc, and I don’t want to pile on: God knows I’ve written vulnerable code.

To explore a constructive angle both for the industry generally and the Browser Company specifically: hire this clever hacker who pwned your shit in a well-remunerated and high-profile way.

The Browser Company is trying to break tradition with a lot of obsolete Web norms, how about paying bullshit bounties under pressure rather than posting the underground experts to guard the henhouse.

If the Browser Company started a small but aggressive internal red team on the biohazard that is the modern web?

I’ll learn some new keyboard shortcuts and I bet a lot of people will.

Reply View 0 replies
nixosbestos 10 months ago

So when there are near weekly reports of websites being compromised due to horrid Firebase configuration, did absolutely no one on your teams raise a red flag? Is there some super low-pri ticket that says "actually make sure we use ACLs on Firebase"?

Reply View 0 replies
kernal 10 months ago

>Arc brought order to the chaos that was my online life. There’s no going back.

Bringing the chaos back like it's 1999.

Reply View 0 replies
msephton 10 months ago

I misread your name as Hush which is kind of fitting considering how you're trying to make this go away

Reply View 0 replies
metadat 10 months ago

Hursh / ha470, where did you go? There are lots of good questions in the replies to your thread, yet you went dark immediately after posting more than 8 hours ago. It's hard to imagine what could be more pressing than addressing people's concerns after a major security incident such as this.

To be honest, I'm a bit disappointed. For future reference, this doesn't seem like a good strategy to contain reputational damage.

Reply View 0 replies
FactKnower69 10 months ago

remember when reading this that this guy's company is valued at a billion dollars and his comp is 10x yours if not more. we live in a meritocracy

Reply View 0 replies
ycombinatrix 10 months ago

ngl this is pretty pathetic. the massive security hole is one thing but you're just gonna gloss over violating your own privacy policy?

Reply View 0 replies
exabrial 10 months ago

Bro you should be requiring accounts to download HTML. Come on man.

Reply View 0 replies
mirzap 10 months ago

Pay the guy properly. $2000 is an insult. It should be $50k. This kind of bug could be sold for 100-200k easily.

Reply View 9 replies
  • JumpCrisscross 10 months ago

    > This kind of bug could be sold for 100-200k easily

    Maybe not. If the browser is that buggy, there may be plenty of these lying around. The company itself is pricing the vulnerability at $2k. That should speak volumes to their internal view of their product.

    Reply View 6 replies
    • radicaldreamer 10 months ago

      Many engineers at SV startups use Arc on a daily basis. This bug could've resulted in the compromise of multiple companies, probably including crypto exchanges. A browser bug of this severity is extremely valuable, even for a niche browser like Arc.

      Reply View 3 replies
      • JumpCrisscross 10 months ago

        > Many engineers at SV startups use Arc on a daily basis

        Do we have adoption statistics?

        It would seem prudent for the browser to be banned in professional environments. (I use Kagi's Orion browser as a personal browser on MacOS. My work is done in Firefox.)

        > browser bug of this severity is extremely valuable, even for a niche browser like Arc

        Absolutely. (Even if it were in beta.)

        What I'm trying to say is the $2k payout sends a message. One, that The Browser Company doesn't take security seriously. And/or two, that they don't think they could pay out a larger number given the state of their codebase.

        Side note: my favourite content on crisis management is this 2-minute video by Scott Galloway [1]. (Ignore the political colour.)

        [1] https://www.youtube.com/watch?v=PB-AyvgE8Ns

        Reply View 2 replies
    • shuckles 10 months ago

      I think OP mean to say "this bug could let an attacker gain $200k of value easily", though you are right the market clearing price for such a vulnerability is probably low due to huge supply.

      Reply View 0 replies
    • [removed] 10 months ago
      [deleted]
      Reply View 0 replies
  • [removed] 10 months ago
    [deleted]
    Reply View 0 replies
  • [removed] 10 months ago
    [deleted]
    Reply View 0 replies
ibash 10 months ago

Thanks for the response.

While people might nitpick on how things were handled, the fact that you checked if anyone was affected and fixed it promptly is a good thing.

Reply View 2 replies
  • ziddoap 10 months ago

    It is not really nitpicking, given the severity.

    Being prompt on a vulnerability of this magnitude should be considered "meeting the standard" at best.

    Reply View 0 replies
  • metadat 10 months ago

    The CTO and co-founder didn't check in on any of the concerns, completely disappeared after leaving a heartfelt comment. This comes off as incredibly disingenuous.

    Reply View 0 replies