Gaining access to anyones Arc browser without them even visiting a website

Hursh, can you please respond to the above commenter? As an early adopter, I find it fairly troubling to see a company that touts transparency hide the blog post and only publicly "own up to it" within the confines of a single HN thread.

Not a good look it not being on the main page! I personally use [zen browser](https://github.com/zen-browser/desktop); I like the ideas of Arc, but it always seemed sketchy to me, especially it being Chromium-based and closed-source.

Selling vulnerability on the black market is immoral and may be illegal. The goal of bug bounty programs was initially to signal "we won't sue white hat researchers who disclose their findings to us", when did it evolve into "pay me more than criminals would, or else"?

> because you paid a measly $2k bounty for a bug that owns, in a dangerous way, all of your users

The case is redeemable. It may still be an opportunity if handled deftly. But it would require an almost theatrical display of generosity to the white hat (together, likely, with a re-constituting of the engineering team).

You have no idea but you suspect someone could have made more?

So you're not going to use Arc. How much do you pay for the browser you do use?

Should have at least paid €1 per user. Eh, maybe that’s what they did?

I think that is addressed in the post. Apparently the URL was only sent under certain conditions and has since been addressed:

>We’ve fixed the issues with leaking your current website on navigation while you had the Boost editor open. We don’t log these requests anywhere, and if you didn’t have the Boosts editor open these requests were not made. Regardless this is against our privacy policy and should have never been in the product to begin with.

Given the context (boosts need to know the URL they apply to after all) this indeed was a "deliberate design choice" but not in the manner you appear to be suggesting. It's still very worrisome, I agree.

And what, you’re going to find them a new CTO? What kind of magical world do you live in where problems are solved by leaders resigning, instead of stepping up and taking accountability?

Surprise surprise, turns out it takes a looong time for every software startup to finally strip out all the hacky stuff from their MVP days. Apparently nobody on this startup community forum has ever built a startup before.

Pro tip: if stuff like this violently upsets you, never be an early adopter of anything. Wait 5-10 years and then make your move.

Personally, I expect stuff like this from challenger alternatives, this is the way it should be. There is no such thing as a new, bug-free software product. Software gets good by gaining adoption and going through battle testing, it’s never the other way around like some big company worker would imagine.

Well, the current team perhaps.

But it's also likely part of the startup mentally of "move fast and break things", which is not entirely compatible with the goal of the browser.

> $2,000 is a tiny fraction of what this bug is worth

The Browser Company raises $50mm at a $550mm post-money valuation in March [1]. They’ve raised $125mm altogether.

Unless they’re absolute asshats, they’ll increase the bug payout. But people act truly when they don’t think they’re being watched—a vulnerability of this magnitude was worth $2k to this company. That’s…eyebrow raising.

[1] https://techcrunch.com/2024/03/21/the-browser-company-raises...

Hursh responded elsewhere on the thread:

https://news.ycombinator.com/item?id=41606219

Any new vulnerability will be sold to the highest bidder and/or exploited instead of being reported for the bug bounty because of this.

Saying Google provides examples of being rather nice about it.

Firebase ACLs are a constant source of vulnerabilities largely because they are confusing and don't have enough documentation around them.

We did but we closed the roles by hiring folks. They just haven’t joined yet.

50k or 100k would be far more appropriate given the severity of this issue. But overall, this makes me think there's probably a lot more vulnerabilities in Arc that are undiscovered/unpatched.

Also, there's the whole notion of every URL you visit being sent to Firebase -- were these logged? Awful for a browser.

Ya this is fair! Honestly this was our first bounty ever awarded and we could have been more thoughtful. We’re currently setting up a proper program and based on that rubric will adjust accordingly.

> This kind of bug could be sold for 100-200k easily

Maybe not. If the browser is that buggy, there may be plenty of these lying around. The company itself is pricing the vulnerability at $2k. That should speak volumes to their internal view of their product.

It is not really nitpicking, given the severity.

Being prompt on a vulnerability of this magnitude should be considered "meeting the standard" at best.

The CTO and co-founder didn't check in on any of the concerns, completely disappeared after leaving a heartfelt comment. This comes off as incredibly disingenuous.

> bold warning text in the Firebase docs.

Unfortunately, we currently have an industry where highly paid "engineers" unironically believe that their job can be done by reading/watching random tutorials, googling for StackOverflow answers, and pasting code from gists.

Attentively reading documentation or developing a mental model of how your tools work so that you know how they are built to be handled does not make it on to any job listing bullet points. It presumably fell off the bottom in favor of team spirit or brand enthusiasm or whatever.

How many tutorials, community answers, and gists do you think conveyed that warning?

I think a system that makes it this easy to shoot yourself in the foot is probably not a great system. Documentation is important, and I'm glad it's clear and obvious, but humans make mistakes. You'd hope that the mistakes have less dire consequences.

> it's very easy to misconfigure, but basic security practices like these are highlighted in bright, bold warning text in the Firebase docs.

I'm sorry but if the whole design is "one big database shared with everyone and we must manually configure the database for auth" there is a problem that's deeper than just having to read the doc. It means the basic understanding of what it means to keep data as private as possible is not understood. A shared database only works when the server accesses it, not when client has direct access.

What Arc needs is to segregate each user's data in a different place, in the design of the database, not as part of configuration of custom code. Make it impossible to list all user's data, or even users. When, not if, an id is guessed, related data becomes accessible by someone else; make it so that someone else still can't read it, or can't replace it.

Nobody reads docs dude. They copy and paste stack overflow answers, and now, copilot answers, which is going to be based on stack overflow ultimately anyway.

I guess we're not always professionals at all the work that we do, if that makes sense

Are you defining amateurs as people who are not your coworkers? It can still be an amateur mistake.

If it's internal, did they really need to have auth?

Didn't they already have these rules in place? And the vulnerability was when the owner was updating the resource to have a new owner?

Is there no Allow-read? Edit: Yes,

    allow read, update, delete: if request.auth != null && request.auth.uid == userId;

It does: https://github.com/adryd325/oneko.js/blob/main/oneko.js

       const isReducedMotion =
         window.matchMedia(`(prefers-reduced-motion: reduce)`) === true ||
         window.matchMedia(`(prefers-reduced-motion: reduce)`).matches === true;
     
       if (isReducedMotion) return;
     

Same for me, on FF you can override it with:

  about:config
    ui.prefersReducedMotion = 0

Well that was a rabbit hole.

Current version is hard to even see with high-res screens. A few checks shows endless ports, code from the 90s and before, and all sorts of other fun.

Wonder if the author will reply.

You have sudo access to your colleagues computers?

it sits when it's next to pointer. just don't move your mouse.

I thought it just ran around on the top line of the header, and was quite taken with it. I then scrolled and it followed me right into the middle of a paragraph. Less taken, but cat's gonna cat.

Truly. I was looking for a privacy respecting Chromium-based browser to use for Web MiniDisc (https://web.minidisc.wiki/) and came across some enthusiastic praise for Arc. I downloaded it and it immediately wanted me to create an account to even use it. How can that possibly respect my privacy? It went right in the trash.

I had the same response when I downloaded Dart and discovered that a programming language thought it was acceptable to send telemetry.

I had doubts already when submissions promoting the browser were added on hn while there was no way to see how it looks like or even test it out - for quite some time there was nothing but mail singup on their page.

https://news.ycombinator.com/item?id=35801529

I did the same. Requiring an account for a browser is immediately disqualifying. I don't care how many features it has.

Even Chrome wouldn't dare

I guess it's relatively easy to test, add the Firebase domain to your host file and point it to 127.0.0.1 and try to use the browser.

Sometimes things like this handle connection failures better than "never-ending connection attempts", so you might want to try to add a throttle or something too for the traffic between the domain and the browser, might also trip it up.

Chrome does not require an account to use. And Chrome by default doesn't send sites you visit to Google, unless you turn on the "make searches and browsing better" feature or the "enhanced safe browsing" feature.

So the OP is right. Arc's privacy is worse than Chrome.

Fair enough, but my point is more conceptual, in that you still have to write `boost.userId == auth.userId` as an allowed pattern rather than making that pattern the only technically possible result, which is the convention in a traditional API.

And then when you imagine the legitimate uses you have to imagine how allowing those legitimate uses could be misused. You always need to think red and blue.

It says in the article. If you share one of your snippets, or make/accept a friend request, that all uses the same id

Reacting fast is the least the vendor could do. Bare minimum. This should not be applauded. It should be treated as "well, at least they reacted at a reasonable speed so the root cause was probably not malice".

In other words, a quick turnaround with a fix does not lessen the impact of being negligent about security when designing the product.

"They put the bandaid over the wound caused by a flagrant disregard for the users privacy, security, and safety."

Phew, glad that's over and will never happen again.

28 hours (note the date), but still

28 hours for a 1 line fix is impressive?

You could have just borrowed someone else’s, it appears.

No Linux version prevented me from trying it, didn't even get to the account wall, who knows if there's a pay wall. Perhaps the "moat" concept was misunderstood.

Yeah I’m so torn. It’s honestly the best browser UX I’ve seen, the right combination of vertical tabs, auto archiving, spaces/collections, sync, etc. I don’t care for Easels, but the core is good.

Except… the growth hacks have started to creep in. They overlay an advert for their own AI services on top of regular Google search results pages in their mobile app. Not even a browser chrome UI element, it’s literally over the page content. That feels like a huge violation of what it means to be a browser.

I don’t want their AI features. I don’t want growth hacks. I don’t want to sign in except for sync. I’d happily pay $40 a year for Arc as a product-focused-product, but as a VC-focused-product it’s heading downhill.

> You could’ve owned literally every user of Arc… The NSA would’ve paid a couple more zeros on that.

only the 17 users they have.

Shouldn't a government sue you if you try to sell him out vuln unless you personally know people in charge?

Are there a lot of Arc users? It seems like a pretty niche browser even compared to other niches.

Firestore rules are in "lock mode" (no read or write allowed) by default since a long time. Then, everything is ultra well explained in the docs.

I was already aware of it when being a noob dev 10 years ago, and could easily write a rule to enforce auth + ownership in the rules. No way, seasoned devs can miss that.

The page says $2,000.

A couple? A vuln like this is worth >$1M very easily on the market.

yes. I feel sad that now we have created an incentive where selling to the govt.'s is often much lucrative than telling to the vulnerable party (arc in this case)

(just imagine , this author was great for telling the company , this is also a cross platform exploit with very serious issues (I think arc is available on ios as well))

how many of such huge vulnerabilities exist but we just don't know about it , because the author hasn't disclosed it to the public or vulnerable party but rather nsa or some govt. agency

> low level software engineers on payroll

How does The Browser Company make money? They're giving their product away for free.

Browsers are complicated. It doesn't inspire confidence that the folks in charge of that complexity can't get their heads around a business model.

(Aside: none of their stated company values have anything to do with the product or engineering [1]. They're all about how people feel.)

[1] https://thebrowser.company/values/

I don't see an issue, using something like Firebase is what a smart engineer would do. Just this one piece of logic is a problem.

Unfortunately, Zen Browser simply isn't an alternative. If you like Arc, then Zen's UI for tabs and splitting views isn't really anywhere close to satisfying the same needs.

I also wrote a guide on ARC features that work better on Firefox: https://thannymack.com/#Arc%20features%20that%20work%20bette...

https://news.ycombinator.com/item?id=36862546

I very much agree with the idea that browsers are security-sensitive software, unlike, say, a picture editor, and more like an ssh server. It should be assumed to be constantly under attack.

And browser development is exactly not the area where I would like to see the "move fast, break things" attitude. While firebase may be sloppy with security and thus unfit for certain purposes, I would expect competent developers of a browser to do due diligence before considering to use it, or whatever else, for anything even remotely related to security. Or, if they want to experiment, I'd rather that be opt-in, and come with a big banner: "This is experimental software. DO NOT attempt to access your bank account, or your real email account, or your social media accounts".

With that, I don't see much exploit potential in learning stats like the number of cores on your machine. Maybe slightly more chances of fingerprinting, but nothing comparable to the leak through improper usage of firebase.

You do know that there are more than chrome and arc right?

> Did you know that chrome gives an unfair advantage to its user sites by giving system information (core usage etc.) and some other things which are not supposed to be seen by browsers only to the websites starting with *.google.com ?

That's pretty interesting. Where can I learn more about this?

>>Did you know that chrome gives an unfair advantage to its user sites by giving system information (core usage etc.) and some other things which are not supposed to be seen by browsers only to the websites starting with *.google.com ?

Yeah so using chrome based browsers like Arc is giving more power to Google to do shady stuff while also being a victim of the third party unsafe code.

I'm in the same boat as GP. Was invited early, loved the Arc UX far more than any other browser. I've recommended it to many people.

As many other comments have pointed out, this vulnerability is such a rookie mistake that I don't think I can trust them again after this without understanding what factors in their security/engineering culture led to it. Patching this one issue isn't enough.

>Them acknowledging the issue, then fixing it within 28 hours isn't good enough for you?

Are you not concerned with the yet to be discovered vulnerabilities?

What is concerning is the nature of the vulnerability and how it speaks to their security culture (which is obviously non-existent). This also revealed that their privacy policy is pure marketing fluff, completely disconnected from (and, in fact, counter to) their actions.

If you are comfortable using a browser (probably the software with the largest risk and attack surface on your device) that had an embarrassingly rudimentary vulnerability, made by a company who lie about the most important promise of their privacy policy, then I've got a calculator app for you.

They afaik never said that they ‘fixed’ the issue where they’re sending Google your every visited url.

Where did they acknowledge the issue? There’s nothing about this issue on their website or their Twitter feed.

[flagged]

They offer a low price because the risk of tanking your career, landing yourself in jail, and the fact that the researcher probably doesn't know how to line up a sale means the company is the only buyer.

I would go the other way, companies offer low bug bounties because they don't want researchers to discover them in the first place. This looks terrible for Arc despite the fact if left undisclosed it probably would have continued to be unexploited for years to come.

Am I too optimistic? I feel like most regular people I know wouldn’t sell this off. Most people are not antisocial criminals by nature, and also wouldn’t know how to contact a “state actor” even if they wanted to.

A malicious party who wants a vulnerability in a browser effectively nobody uses?

I’m middle-aged. I’ve noticed in the last few months more and more articles with this style. Something I’ve never seen before in blogging or article writing.

I usually notice the style at some point but this time I had no idea until this other commenter pointed it out. I guess I am getting acclimatized.

Using uppercase is for writing (more formal).

using lowercase is for chat (less formal)

It’s just another dumb social media trend, like tYpiNg LiKe tHiS. Hopefully it too will phase out. Search for “lowercase trend” and you’ll find reports of it going years back, there’s nothing worth being fascinated about.

It has seeped into HN as well. Look closely and you’ll notice several commenters type like that.

Depending on the version you are using, you might not even need to add it, someone else might just add it for you!

this made me laugh. 10/10

Im dyslexic and I tend to use the pointer to follow what I am reading to help me. The cat was annoying as hell. I just had to hide the element in the DOM before i could read more than a few lines. Infuriating design choice to make it follow the pointer.

Looks like someone already added it to uBlock Origin since I see no cat.

Or maybe the cat doesn't support Firefox...

I suspect it's that they hate are easily distracted (if "hate" falls outside of the series, such that it applies beyond just "cats")!

The fact that clients write directly into the database and that it's widely encouraged.

There are security rules in Firebase to prevent this, but bolt-on security models that the user has to explicitly enable haven't shown to work.

As a person that recently started using it: it has something like "tree style tabs", and sort of a hybrid merge of the concepts of tabs and bookmarks. In other words, the tabs work more like files on disk -- open/closed, sorted into folders. I'm probably not explaining it well either, but I encourage you to try it if you ever wanted to experiment with alternative tab management (tree style tab, tab groups etc). It's a concept that clicked for me quickly once I started using it, and now I'm angry since I want to use Firefox for philosophical reasons but don't want to go back to regular tabs.

It's a browser (chromium based) with a really nice UI that people love, I am intrigued but haven't used it because I find the requirement to create an account off-putting.

The “what makes Arc different from other browsers” section is particularly funny.

> Arc is to your ex-browser what the iPhone was to cellphones. Or as one of our members said “like moving from a PC to a Mac.” It’s from the future — and just feels great.

I don't understand what you do not get. In the link you sent they claim to be a privacy oriented web browser based on chromium

I did. It’s like 20 % an Arc clone, and 80 % of UX papercuts. Like, you can’t have ‘add tab’ button on top when the new tab gets added to the bottom. Or that one sidebar button opens a side window to the right of the sidebar, while another below it opens the favorites to the left and moves the whole sidebar from underneath your mouse.

Looks like a minimal effort css restyle of Firefox.

nice. will probably try it in the future.

but the for-some-reason-not-obvious revelation that it's just a product that some team somewhere is working on and the fact that a browser is an important piece of software brought me back to safari (not sure if joke's on me, but in this case I trust apple engineers to do a more thorough job in ensuring my data is secure).

i'm rooting for them to succeed, but if the concern is security, switching your daily driver browser to a brand-new browser that's still in alpha is unfortunately not a good idea.

Brave is VC funded and needing to extract a billion of value. Just like Arc.

I know about Zen and Floorp. For my day to day browsing Arc has:

# Split screen tabs

Zen and Floorp both have this but the UX for both is really clunky. Surely they'll improve but Arc felt like second nature.

# Little Arcs

As far as I know, neither Zen or Floorp have this feature and if they do then the UX is not as obvious as Arc. The UX around Little Arcs is almost perfect. If I click on a link, it opens as a modal that I can expand to its own tab if I need or dismiss by just clicking away. The same things happens in other apps so I don't lose context just because I wanted to look at a link quick. If I do want to bring that tab into a space then it's 1-2 clicks away. My only gripe with this is that the Little Arcs that are created from clicking links in other apps don't auto dismiss if you change focus but this might just be a setting I don't have configured.

# Inset meetings/videos

AFAIK neither has this feature either. Having videos that are playing just seamlessly pop-up picture-in-picture when navigating away from the video tab is useful enough but the meeting feature is key for me because my company uses Google Meet. I can navigate away from meetings to look-up info/check Slack/etc without losing focus on the meeting itself and getting back to the meeting tab or unmuting myself is 1 click away.

Sure all of these things could probably be accomplished by browser extensions but I think the UI/UX within Arc is pretty tough to compete with.

According to their blog post https://arc.net/blog/CVE-2024-45489-incident-response they fixed it:

> We’ve fixed the issues with leaking your current website on navigation while you had the Boost editor open. We don’t log these requests anywhere, and if you didn’t have the Boosts editor open these requests were not made. Regardless this is against our privacy policy and should have never been in the product to begin with.

Even worse, to write the comment I had to ask ChatGPT how it works for windows...

I mentioned javascript because I mostly see that cohort jump feet first into services like firebase/supabase/clerk/vercel/etc.

1. Chrome's security team has a very good reputation.

2. I don't know how accurate it is in 2024, but there are comparisons like https://madaidans-insecurities.github.io/firefox-chromium.ht... out there.

I assume this is similar to Russia where people get their father's name assigned as middle name

seems like it is the case: https://news.ycombinator.com/item?id=41601332

From the quoted snippet, every page load is leaking both the domain and authed user’s ID to Firebase.

Thanks for the reply! I think I disagree with you, mostly because it seems like this particular bug could have been company-destroying because of the potential reputation hit if it was exploited on a wide scale.

But regardless, I appreciate your perspective and it gives me some stuff to consider I hadn't previously.

I think we all know that tech debt often lives forever, so if you're going to start a browser company, you simply must be thinking about security/privacy from day one. If the VC model doesn't make that possible, then the only reasonable conclusion is that browsers shouldn't be a thing that VC funded startups work on.

They disclosed the vulnerability directly to the co-founder CTO.

> the timeline for the vulnerability:

> aug 25 5:48pm: got initial contact over signal (encrypted) with arc co-founder hursh

> aug 25 6:02pm: vulnerability poc executed on hursh's arc account

Arc is a great product, it's the nicest web browser to use, you can tell these people are really good at their jobs in many respects (though apparently not security?!?). probably a lot of investors saw that too and are willing to fund a very strong team with the hope of eventual product-market fit.

> They claim so much and their browsers' code is 100% proprietary

Far from me to defend Arc (I dislike it for several reasons) but it’s based on Chromium so it’s far from 100% proprietary. Don’t Edge, Vivaldi, and even Chrome have proprietary layers on top of the open-source Chromium?

To be clear, it's a cat named "cat" in Japanese.

Good pun :)

HN tends to be a little hard on brief comments. My current understanding is that comments with little substance are totally acceptable provided they're good natured.

For example this comment by dang "There's nothing wrong with submitting a comment saying just "Thanks."" https://news.ycombinator.com/item?id=37251836.

Also from the guidelines "Comments should get more thoughtful and substantive, not less, as a topic gets more divisive": this post's topic doesn't likely qualify as divisive.

[flagged]