Unable to load image

Gaining access to anyones Arc browser without them even visiting a website | Orange site is unhappy with Arc devs. Will this destroy The Browser Company??! :marseyscream:

https://news.ycombinator.com/item?id=41597250

Arc is an "alternative" paid browser for ...? I'm not really sure but they got a bunch of VC money which they've apparently spent on some insecure out of the box backend (it's a modern browser that you must log in to) from Google called Firebase and now there's a big exploit where hackers can gain access to your entire browser without you even visiting a web page

Their cofounder and CTO, Hursh Agrawal :marseytunaktunak: , arrives to calm the natives but instead riles them up further as they are now demanding his resignation and head on a stick

https://i.rdrama.net/images/17268640078427947.webp

According to this article, Arc requires an account and sends Google's Firebase the hostname of every page you visit along with your user ID. Does this make Arc the least private web browser currently being used?


I'm Hursh, cofounder and CTO of The Browser Company (the company that makes Arc). Even though no users were affected and we patched it right away, the hypothetical depth of this vulnerability is unacceptable. We've written up some technical details and how we'll improve in the future (including moving off Firebase and setting up a proper bug bounty program) here: https://arc.net/blog/CVE-2024-45489-incident-response.

I'm really sorry about this, both the vuln itself and the delayed comms around it, and really appreciate all the feedback here – everything from disappointment to outrage to encouragement. It holds us accountable to do better, and makes sure we prioritize this moving forward. Thank you so much.

Was the post written for HN users only? I cannot see it on your blog page (https://arc.net/blog). It's not posted on your twitter either. Your whole handling seems to be responding only if there is enough noise about it.

Hursh, can you please respond to the above commenter? As an early adopter, I find it fairly troubling to see a company that touts transparency hide the blog post and only publicly "own up to it" within the confines of a single HN thread.

Comments further down are concerned that on each page load, you're sending both the URL and a(n identifiable?) user ID to TBC. You may want to comment on that, since I think it's reasonable to say that those of us using not-Chrome (I don't use Arc personally, but I'm definitely in the 1% of browser users) are likely to also be the sort of person concerned with privacy. Vulnerabilities happen, but sending browsing data seems like a deliberate design choice.


There isn't really anything you can do to convince me that your team has the expertise to maintain a browser after this. It doesn't matter that you have fixed it, your team is clearly not capable of writing a secure browser, now or ever.

I think this should be a resigning matter for the CTO.


no mention of the pitiful bounty reward (2000 usd). only sorry and thanks. Please award this person a proper bounty.

51
Jump in the discussion.

No email address required.

>Proprietary software is a security and privacy nightmare

If only someone had warned us about those who despise user freedom !fosstards

Jump in the discussion.

No email address required.

I do find it funny how the only way that anyone can be sure that a software's actually secure's if it's open source, otherwise it's almost guaranteed to be filled with zerodays and really obvious vulns

Jump in the discussion.

No email address required.

$2000 bounty

White hat hackers might as well do it for free, lol :marseyjann#y:

Jump in the discussion.

No email address required.

ikr? this is a tasty butt exploit :marseyhannibal:

Jump in the discussion.

No email address required.

This is unbelievably incredibly dumb. Not only can I just view anyone's browser history, I can just inject arbitrary JavaScript into anybody's browser rendering any arbitrary URL. Without even tricking them into viewing some page I own.

Jump in the discussion.

No email address required.

Holy shit, this is incredible. A built in XSS cloud service hosted on firebase with no ACLs :marseydarkxd#: How do you come back from this?

Jump in the discussion.

No email address required.

Dumb idea to need to make an account to merely use a browser.

Jump in the discussion.

No email address required.

Great idea if you like money, actually.

Jump in the discussion.

No email address required.

Jump in the discussion.

No email address required.

>you need to log in to use your browser since its backend uses a cloud database :marseylaughpoundfist:

>they did this so they "can develop faster because they don't need to worry about the backend" :marseybrainlet:

what the frick

this thing's users deserve whatever they get lmao :mjlol:

Jump in the discussion.

No email address required.

I don't understand how using a cloud database instead of a local one makes you not worry about the backend. Wouldn't you basically be doing the same amount of worrying either way?

Jump in the discussion.

No email address required.

Link copied to clipboard
Action successful!
Error, please refresh the page and try again.