bhaney 7 hours ago | next |

There are a lot of major security vulnerabilities in the world that were made understandably, and can be forgiven if they're handled responsibly and fixed.

This is not one of them. In my opinion, this shows a kind of reputation-ruining incompetency that would convince me to never use Arc ever again.

Imustaskforhelp an hour ago | root | parent | prev | next |

I agree & disagree.

Browsers are very important part of our life. If someone compromises our browsers , they basically compromise every single aspect of privacy and can lead to insane scams.

And because arc browser is new , they wanted to build fast and so they used tools like firebase / firestore to be capable of moving faster (they are a startup)

Now I have read the article but I am still not sure how much of this can be contributed to firebase or arc

On the following page from same author (I think) https://env.fail/posts/firewreck-1 , tldr states

- Firebase allows for easy misconfiguration of security rules with zero warnings

- This has resulted in hundreds of sites exposing a total of ~125 Million user records, including plaintext passwords & sensitive billing information

So because firebase advocates itself to the developers as being safe yet not being safe , I think arc succumbed to it.

firestore has a tendency to not abide by the system proxy settings in the Swift SDK for firebase, so going off my hunch,

Also , you say that you have been convinced to never use arc again.

Did you know that chrome gives an unfair advantage to its user sites by giving system information (core usage etc.) and some other things which are not supposed to be seen by browsers only to the websites starting with *.google.com ?

this is just recently discovered , just imagine if something more serious is also just waiting in the shadows Couldn't this also be considered a major security vulnerability just waiting to be happen if some other exploit like this can be discovered / google.com is leaked and now your cpu information and way more other stuff which browsers shouldn't know is with a malicious threat actor ?

nine_k 11 minutes ago | root | parent | next |

I very much agree with the idea that browsers are security-sensitive software, unlike, say, a picture editor, and more like an ssh server. It should be assumed to be constantly under attack.

And browser development is exactly not the area where I would like to see the "move fast, break things" attitude. While firebase may be sloppy with security and thus unfit for certain purposes, I would expect competent developers of a browser to do due diligence before considering to use it, or whatever else, for anything even remotely related to security. Or, if they want to experiment, I'd rather that be opt-in, and come with a big banner: "This is experimental software. DO NOT attempt to access your bank account, or your real email account, or your social media accounts".

With that, I don't see much exploit potential in learning stats like the number of cores on your machine. Maybe slightly more chances of fingerprinting, but nothing comparable to the leak through improper usage of firebase.

endigma 7 hours ago | root | parent | prev | next |

Also, firebase? seriously? this is a company with like, low level software engineers on payroll, and they are using a CRUD backend in a box. cost effective I guess? I wouldn't even have firebase on the long list for a backend if I were architecting something like this. Especially when feature-parity competitors like Supabase just wrap a normal DBMS and auth model.

JumpCrisscross 2 hours ago | root | parent |

> low level software engineers on payroll

How does The Browser Company make money? They're giving their product away for free.

Browsers are complicated. It doesn't inspire confidence that the folks in charge of that complexity can't get their heads around a business model.

(Aside: none of their stated company values have anything to do with the product or engineering [1]. They're all about how people feel.)

[1] https://thebrowser.company/values/

aaomidi 7 hours ago | root | parent | prev |

You’d think that a company shipping a browser would pay a little more attention to security rules.

Also, shame on firebase for not making this a bit more idiot proof.

And really? $2500? That’s it? You could’ve owned literally every user of Arc… The NSA would’ve paid a couple more zeros on that.

255kb 19 minutes ago | root | parent | next |

Firestore rules are in "lock mode" (no read or write allowed) by default since a long time. Then, everything is ultra well explained in the docs.

I was already aware of it when being a noob dev 10 years ago, and could easily write a rule to enforce auth + ownership in the rules. No way, seasoned devs can miss that.

prmoustache 35 minutes ago | root | parent | prev | next |

> You could’ve owned literally every user of Arc… The NSA would’ve paid a couple more zeros on that.

only the 17 users they have.

Shouldn't a government sue you if you try to sell him out vuln unless you personally know people in charge?

Imustaskforhelp an hour ago | root | parent | prev | next |

yes. I feel sad that now we have created an incentive where selling to the govt.'s is often much lucrative than telling to the vulnerable party (arc in this case)

(just imagine , this author was great for telling the company , this is also a cross platform exploit with very serious issues (I think arc is available on ios as well))

how many of such huge vulnerabilities exist but we just don't know about it , because the author hasn't disclosed it to the public or vulnerable party but rather nsa or some govt. agency

nemomarx 7 hours ago | root | parent | prev | next |

Are there a lot of Arc users? It seems like a pretty niche browser even compared to other niches.

viraptor 3 hours ago | root | parent | next |

Lots of developers and power users make a good chunk of Arc's use base. If you're after some interesting credentials then "every Arc user" is a perfect group with little noise.

nicce 3 hours ago | root | parent |

> power users

Not that many. Most power users don't like to be forced for logging in, before they are able to use the browser.

doix 2 hours ago | root | parent | next |

If I had to guess, the typical Arc user is a Mac user in tech. It doesn't run on Linux, most windows users wouldn't run it, and non-tech people haven't heard of it.

Then most engineering IC people will most likely run Firefox or Chrome, so you're probably looking at designers/founders/managers as your target.

Probably some interesting targets there, but not the type that the NSA cares about. Just pure conjecture on my part of course ;).

Imustaskforhelp an hour ago | root | parent | prev | next |

my brother uses arc browser , he is a developer . I think he saw it from somebody using it (maybe theo t3 or some other creator he watches) , and he found it cool (plus there were lot of videos flooded with saying arc is really great IDK)

If someone finds something cool on the internet. They are going to try it , given that they are capable to do so.

He had a mac so he was able to do so , Even I tried to run arc on windows once when it was really beta and only available to mac (I think now it supports windows not sure)

I just kindly want to state that if the nsa could've bought this exploit , they could've simply waited and maybe even promote arc themselves (seems unlikely)

Maybe they could've tried to promote the numbers of arc users by trying to force google and microsoft search engine through some secret shady company advertising / writing blog posts for arc / giving arch funding or like how we know that there are secret courts in america

( and since these search engines basically constitutes for a high percentage of discovery of stuff by search engine by users)

People could've credited the success to arc in that case for getting more users but the real winner would've been NSA.

water-data-dude 6 hours ago | prev | next |

I just wanted to say, I enjoyed the little pixel art cat that runs towards wherever you click immensely. It’s one of those fun, whimsical little touches that I don’t see all that often. A reminder that the internet can be a fun, whimsical place if we want it to be :)

johndough 4 hours ago | root | parent | prev | next |

On Debian, you can install and run the cat with

    sudo apt install oneko
    oneko &
Makes a great gift for colleagues who leave their computer unattended.

bbarnett 41 minutes ago | root | parent |

Well that was a rabbit hole.

Current version is hard to even see with high-res screens. A few checks shows endless ports, code from the 90s and before, and all sorts of other fun.

Wonder if the author will reply.

monroewalker 5 hours ago | prev | next |

Can we have Arc added to the title of the post to better alert people who use or know people who use the browser?

Borgz an hour ago | prev | next |

According to this article, Arc requires an account and sends Google's Firebase the hostname of every page you visit along with your user ID. Does this make Arc the least private web browser currently being used?

ko_pivot 9 hours ago | prev | next |

This is such a fantastic bug. Firebase security rules (like with other BaaS systems like Firebase) have this weird default that is hard to describe. Basically, if I write my own API, I will set the userId of the record (a 'boost' in this case) to the userId from the session, rather than passing it in the request payload. It would never even occur to a developer writing their own API past a certain level of experience to let the client pass (what is supposed to be) their own userId to a protected API route.

On the other hand, with security rules you are trying to imagine every possible misuse of the system regardless of what its programmed use actually is.

nottorp 4 hours ago | root | parent |

> On the other hand, with security rules you are trying to imagine every possible misuse of the system regardless of what its programmed use actually is.

Tbh you're doing it wrong if you go that way.

Default deny, and then you only have to imagine the legitimate uses.

imglorp 7 hours ago | prev | next |

OP is talking about the Arc browser, not the Arc language, the Arc "Atomic React" project, or any of scores of other projects with that name.

ahoef 4 hours ago | prev | next |

Nice article, but this is hard to read without proper capitalization. My brain uses capitals to scan beginning and ending of text.

Aachen 28 minutes ago | root | parent | next |

I was similarly fascinated by the stylistic choices made here. No capitalisation of even any names, no hyphen in a compound adjective, but dots and commas and spaces are deemed necessary, also before "and" where the word clearly acts as separator already. If you look at the waveform of speech, we have no spaces between regular words so, if they want to eliminate unnecessary flourishes... though perhaps (since text largely lacks intonation markers) that makes it too unreadable compared to the other changes. All this is somehow at least as fascinating to me as the vulnerability being described!

maipen an hour ago | prev | next |

Very small bounty, but I honestly believe this arc thing won’t last long…

Browsers are hard and my only choice has been chrome and will remain so for the long foreseeable future.

When I was younger I would enjoy switching to firefox, opera, etc..

But I always came back to chrome because it just worked and always performed when I needed.

Chrome/chromium is the safest browser.

People tend to fall for the shiny new thing and then realize it was just hype.

Please be very careful about what software you choose to perform most of your activities.

The same applies to these “new ai IDEs” that keep popping up every other say.

appendix-rock an hour ago | root | parent |

…Firefox as an alternative to Chrome!? Am I really that old!?

I used Chrome for years and years, right from when it first came out. Since then, I switched back to Firefox, and have used it for years. It works perfectly fine.

shepherdjerred 5 hours ago | prev | next |

$2000 is an insulting amount for such a huge vuln

isoprophlex 3 hours ago | root | parent |

Yeah, you have to have some solid backbone not to sell this off to some malicious party for 20-50x that amount...

umanwizard an hour ago | root | parent | next |

Am I too optimistic? I feel like most regular people I know wouldn’t sell this off. Most people are not antisocial criminals by nature, and also wouldn’t know how to contact a “state actor” even if they wanted to.

pityJuke an hour ago | root | parent |

> also wouldn’t know how to contact a “state actor” even if they wanted to.

That's why brokerages like Zerodium exist - you can sell it to them, and they'll sell it onto state actors.

eru an hour ago | prev | next |

For context: what is this 'arc' that the blog post mentions? I presumes it's not Paul Graham's Lisp dialect in this context?

EDIT: seems to be a browser or so?

supriyo-biswas 6 hours ago | prev | next |

Great research. As I've said elsewhere, Firebase's authentication model is inherently broken and causes loads of issues, and people would be better off writing a small microservice or serverless function that fronts Firebase.

Also, for anyone trying to read the article, they should put `/oneko.js` in their adblocker.

Aaron2222 5 hours ago | root | parent |

> Also, for anyone trying to read the article, they should put `/oneko.js` in their adblocker.

Only if you hate cats, pixel art, or are easily distracted.

hunter2_ 4 hours ago | root | parent | next |

I suspect it's that they hate are easily distracted (if "hate" falls outside of the series, such that it applies beyond just "cats")!

nottorp 4 hours ago | root | parent | prev |

Looks like someone already added it to uBlock Origin since I see no cat.

Or maybe the cat doesn't support Firefox...

doix 2 hours ago | root | parent | next |

Did you enable the ui.prefersReducedMotion setting? That hides the cat from what I can tell

nottorp 2 hours ago | root | parent |

Hmm not that I remember. But I have reduced motion enabled on my phone system wide and maybe that synced to my desktop on its own.

Which is scary come to think of it.

nottorp 7 minutes ago | root | parent |

Too late to edit... i just got around to checking and I do have system wide reduced motion and reduced transparency on this laptop. I'm sure I didn't set it up on there, just on the phone.

I think Apple is starting to sync too much...

bestest 4 hours ago | prev | next |

the developers working with firebase should enforce common-sense document crud restrictions in the rules. that's just how firebase is. everyone knows it.

now, when talking about ARC BROWSER, i am seriously starting to doubt the competence of the team. I mean, if the rules are broken (no tests? no rules whatsoever?), what else is broken with ARC? are we to await a data leak from ARC?

any browser recommendations with proper vertical tabs and basically everything working like it does in ARC?

whatevermom 2 hours ago | prev | next |

I’m ashamed I fell for Arc and even recommended it to my friends, as someone whose job is exactly this but with Android apps :(

efilife 16 minutes ago | root | parent |

They claim so much and their browsers' code is 100% proprietary so it's impossiblen to verify their lies. This is what triggered the bullshit detector in my head

userbinator 6 hours ago | prev | next |

while researching, i saw some data being sent over to the server, like this query everytime you visit a site

I'm not surprised in the least --- basically the vast majority of software these days is spyware. Looking at Arc's privacy page, it appears to be mainly marketing fluff similar to what I've seen from other companies. I have yet to find a privacy policy that says frankly "we only know your IP and time you downloaded the software, for the few weeks before the server logs are overwritten."

upghost 8 hours ago | prev | next |

Article great, cute doge even better. Here's my upvote!

upghost 5 hours ago | root | parent | prev |

I got downvoted for calling it a dog??

Now that's ruff!!

robbiewxyz an hour ago | root | parent | next |

Good pun :)

HN tends to be a little hard on brief comments. My current understanding is that comments with little substance are totally acceptable provided they're good natured.

For example this comment by dang "There's nothing wrong with submitting a comment saying just "Thanks."" https://news.ycombinator.com/item?id=37251836.

Also from the guidelines "Comments should get more thoughtful and substantive, not less, as a topic gets more divisive": this post's topic doesn't likely qualify as divisive.

jongjong 3 hours ago | prev |

This is a nice investigation and a great read. Sad that they don't normally do bug bounties. $2000 seems small considering the severity of this vulnerability. Though I guess the size and finances of the company is a factor. It takes some serious skills, effort and luck to discover something like that. It should be well compensated.