Gaining access to anyones browser without them even visiting a website
(kibty.town)276 points by xyzeva 9 hours ago | 47 comments
276 points by xyzeva 9 hours ago | 47 comments
endigma 5 hours ago | root | parent | next |
Also, firebase? seriously? this is a company with like, low level software engineers on payroll, and they are using a CRUD backend in a box. cost effective I guess? I wouldn't even have firebase on the long list for a backend if I were architecting something like this. Especially when feature-parity competitors like Supabase just wrap a normal DBMS and auth model.
JumpCrisscross an hour ago | root | parent |
> low level software engineers on payroll
How does The Browser Company make money? They're giving their product away for free.
Browsers are complicated. It doesn't inspire confidence that the folks in charge of that complexity can't get their heads around a business model.
(Aside: none of their stated company values have anything to do with the product or engineering [1]. They're all about how people feel.)
aaomidi 5 hours ago | root | parent | prev |
You’d think that a company shipping a browser would pay a little more attention to security rules.
Also, shame on firebase for not making this a bit more idiot proof.
And really? $2500? That’s it? You could’ve owned literally every user of Arc… The NSA would’ve paid a couple more zeros on that.
nemomarx 5 hours ago | root | parent | next |
Are there a lot of Arc users? It seems like a pretty niche browser even compared to other niches.
viraptor 2 hours ago | root | parent | next |
Lots of developers and power users make a good chunk of Arc's use base. If you're after some interesting credentials then "every Arc user" is a perfect group with little noise.
nicce an hour ago | root | parent |
> power users
Not that many. Most power users don't like to be forced for logging in, before they are able to use the browser.
doix 31 minutes ago | root | parent | next |
If I had to guess, the typical Arc user is a Mac user in tech. It doesn't run on Linux, most windows users wouldn't run it, and non-tech people haven't heard of it.
Then most engineering IC people will most likely run Firefox or Chrome, so you're probably looking at designers/founders/managers as your target.
Probably some interesting targets there, but not the type that the NSA cares about. Just pure conjecture on my part of course ;).
umanwizard 12 minutes ago | root | parent |
The only person I ever saw using Arc was a designer at a tech startup, so this checks out.
sulandor an hour ago | root | parent | prev |
confirmed
i don't even like logging in WHILE using the browser and have never heard of arc
shepherdjerred 4 hours ago | root | parent | prev |
Having arbitrary browser access would be pretty valuable, even for just a small number of users.
Thorrez 2 hours ago | root | parent | prev |
The page says $2,000.
water-data-dude 5 hours ago | prev | next |
I just wanted to say, I enjoyed the little pixel art cat that runs towards wherever you click immensely. It’s one of those fun, whimsical little touches that I don’t see all that often. A reminder that the internet can be a fun, whimsical place if we want it to be :)
Semaphor 3 hours ago | root | parent | next |
As I didn’t get that, it seems like the dev honors prefers-reduced-motion, and doesn’t display it in that case. Excellent of them, give joy to those who want it, prevent annoyances for those who hate them.
mzs 2 hours ago | root | parent |
Same for me, on FF you can override it with:
about:config
ui.prefersReducedMotion = 0
https://developer.mozilla.org/en-US/docs/Web/CSS/@media/pref...johndough 3 hours ago | root | parent | prev | next |
On Debian, you can install and run the cat with
sudo apt install oneko
oneko &
Makes a great gift for colleagues who leave their computer unattended.TiredOfLife 3 hours ago | root | parent | prev |
On desktop it follows the mouse no need to click.
monroewalker 3 hours ago | prev | next |
Can we have Arc added to the title of the post to better alert people who use or know people who use the browser?
ko_pivot 7 hours ago | prev | next |
This is such a fantastic bug. Firebase security rules (like with other BaaS systems like Firebase) have this weird default that is hard to describe. Basically, if I write my own API, I will set the userId of the record (a 'boost' in this case) to the userId from the session, rather than passing it in the request payload. It would never even occur to a developer writing their own API past a certain level of experience to let the client pass (what is supposed to be) their own userId to a protected API route.
On the other hand, with security rules you are trying to imagine every possible misuse of the system regardless of what its programmed use actually is.
nottorp 2 hours ago | root | parent |
> On the other hand, with security rules you are trying to imagine every possible misuse of the system regardless of what its programmed use actually is.
Tbh you're doing it wrong if you go that way.
Default deny, and then you only have to imagine the legitimate uses.
ahoef 2 hours ago | prev | next |
Nice article, but this is hard to read without proper capitalization. My brain uses capitals to scan beginning and ending of text.
michaelt an hour ago | root | parent |
If you were using Arc you could add a Boost for "Case: toggle between different capitalization settings - they will apply to all text on the webpage" [1]
/s
[1] https://resources.arc.net/hc/en-us/articles/19212718608151-B...
imglorp 5 hours ago | prev | next |
OP is talking about the Arc browser, not the Arc language, the Arc "Atomic React" project, or any of scores of other projects with that name.
throwaway984393 4 hours ago | root | parent |
[dead]
shepherdjerred 4 hours ago | prev | next |
$2000 is an insulting amount for such a huge vuln
isoprophlex 2 hours ago | root | parent |
Yeah, you have to have some solid backbone not to sell this off to some malicious party for 20-50x that amount...
saagarjha an hour ago | root | parent |
A malicious party who wants a vulnerability in a browser effectively nobody uses?
supriyo-biswas 5 hours ago | prev | next |
Great research. As I've said elsewhere, Firebase's authentication model is inherently broken and causes loads of issues, and people would be better off writing a small microservice or serverless function that fronts Firebase.
Also, for anyone trying to read the article, they should put `/oneko.js` in their adblocker.
Aaron2222 4 hours ago | root | parent |
> Also, for anyone trying to read the article, they should put `/oneko.js` in their adblocker.
Only if you hate cats, pixel art, or are easily distracted.
hunter2_ 3 hours ago | root | parent | next |
I suspect it's that they hate are easily distracted (if "hate" falls outside of the series, such that it applies beyond just "cats")!
nottorp 2 hours ago | root | parent | prev |
Looks like someone already added it to uBlock Origin since I see no cat.
Or maybe the cat doesn't support Firefox...
doix an hour ago | root | parent |
Did you enable the ui.prefersReducedMotion setting? That hides the cat from what I can tell
nottorp an hour ago | root | parent |
Hmm not that I remember. But I have reduced motion enabled on my phone system wide and maybe that synced to my desktop on its own.
Which is scary come to think of it.
whatevermom 21 minutes ago | prev | next |
I’m ashamed I fell for Arc and even recommended it to my friends, as someone whose job is exactly this but with Android apps :(
ainiriand 38 minutes ago | prev | next |
Start -> Control Panel -> Programs and Features -> Search 'Arc' -> Uninstall.
bestest 2 hours ago | prev | next |
the developers working with firebase should enforce common-sense document crud restrictions in the rules. that's just how firebase is. everyone knows it.
now, when talking about ARC BROWSER, i am seriously starting to doubt the competence of the team. I mean, if the rules are broken (no tests? no rules whatsoever?), what else is broken with ARC? are we to await a data leak from ARC?
any browser recommendations with proper vertical tabs and basically everything working like it does in ARC?
fold3 2 hours ago | root | parent |
Did you took a look at the zen browser? It's an arc clone based on Firefox https://zen-browser.app/
orliesaurus 2 hours ago | prev | next |
I wish we didn't have to sign up to use a browser in the future
sulandor an hour ago | root | parent |
just don't use browsers that do
userbinator 5 hours ago | prev | next |
while researching, i saw some data being sent over to the server, like this query everytime you visit a site
I'm not surprised in the least --- basically the vast majority of software these days is spyware. Looking at Arc's privacy page, it appears to be mainly marketing fluff similar to what I've seen from other companies. I have yet to find a privacy policy that says frankly "we only know your IP and time you downloaded the software, for the few weeks before the server logs are overwritten."
nickisnoble 2 hours ago | root | parent |
Yeah, and no mention of if they addressed this.
jongjong 2 hours ago | prev | next |
This is a nice investigation and a great read. Sad that they don't normally do bug bounties. $2000 seems small considering the severity of this vulnerability. Though I guess the size and finances of the company is a factor. It takes some serious skills, effort and luck to discover something like that. It should be well compensated.
upghost 7 hours ago | prev |
Article great, cute doge even better. Here's my upvote!
ars 7 hours ago | root | parent | next |
The dog is actually a cat named Neko.
DoreenMichele 6 hours ago | root | parent |
To be clear, it's a cat named "cat" in Japanese.
upghost 4 hours ago | root | parent | prev |
I got downvoted for calling it a dog??
Now that's ruff!!
bhaney 6 hours ago | next |
There are a lot of major security vulnerabilities in the world that were made understandably, and can be forgiven if they're handled responsibly and fixed.
This is not one of them. In my opinion, this shows a kind of reputation-ruining incompetency that would convince me to never use Arc ever again.