Gaining access to anyones browser without them even visiting a website

There are a lot of major security vulnerabilities in the world that were made understandably, and can be forgiven if they're handled responsibly and fixed.

This is not one of them. In my opinion, this shows a kind of reputation-ruining incompetency that would convince me to never use Arc ever again.

I just wanted to say, I enjoyed the little pixel art cat that runs towards wherever you click immensely. It’s one of those fun, whimsical little touches that I don’t see all that often. A reminder that the internet can be a fun, whimsical place if we want it to be :)

Can we have Arc added to the title of the post to better alert people who use or know people who use the browser?

This is such a fantastic bug. Firebase security rules (like with other BaaS systems like Firebase) have this weird default that is hard to describe. Basically, if I write my own API, I will set the userId of the record (a 'boost' in this case) to the userId from the session, rather than passing it in the request payload. It would never even occur to a developer writing their own API past a certain level of experience to let the client pass (what is supposed to be) their own userId to a protected API route.

On the other hand, with security rules you are trying to imagine every possible misuse of the system regardless of what its programmed use actually is.

Nice article, but this is hard to read without proper capitalization. My brain uses capitals to scan beginning and ending of text.

OP is talking about the Arc browser, not the Arc language, the Arc "Atomic React" project, or any of scores of other projects with that name.

$2000 is an insulting amount for such a huge vuln

Great research. As I've said elsewhere, Firebase's authentication model is inherently broken and causes loads of issues, and people would be better off writing a small microservice or serverless function that fronts Firebase.

Also, for anyone trying to read the article, they should put `/oneko.js` in their adblocker.

I’m ashamed I fell for Arc and even recommended it to my friends, as someone whose job is exactly this but with Android apps :(

Start -> Control Panel -> Programs and Features -> Search 'Arc' -> Uninstall.

the developers working with firebase should enforce common-sense document crud restrictions in the rules. that's just how firebase is. everyone knows it.

now, when talking about ARC BROWSER, i am seriously starting to doubt the competence of the team. I mean, if the rules are broken (no tests? no rules whatsoever?), what else is broken with ARC? are we to await a data leak from ARC?

any browser recommendations with proper vertical tabs and basically everything working like it does in ARC?

I wish we didn't have to sign up to use a browser in the future

while researching, i saw some data being sent over to the server, like this query everytime you visit a site

I'm not surprised in the least --- basically the vast majority of software these days is spyware. Looking at Arc's privacy page, it appears to be mainly marketing fluff similar to what I've seen from other companies. I have yet to find a privacy policy that says frankly "we only know your IP and time you downloaded the software, for the few weeks before the server logs are overwritten."

This is a nice investigation and a great read. Sad that they don't normally do bug bounties. $2000 seems small considering the severity of this vulnerability. Though I guess the size and finances of the company is a factor. It takes some serious skills, effort and luck to discover something like that. It should be well compensated.

Article great, cute doge even better. Here's my upvote!