Arc is an "alternative" paid browser for ...? I'm not really sure but they got a bunch of VC money which they've apparently spent on some insecure out of the box backend (it's a modern browser that you must log in to) from Google called Firebase and now there's a big exploit where hackers can gain access to your entire browser without you even visiting a web page
Their cofounder and CTO, Hursh Agrawal , arrives to calm the natives but instead riles them up further as they are now demanding his resignation and head on a stick
According to this article, Arc requires an account and sends Google's Firebase the hostname of every page you visit along with your user ID. Does this make Arc the least private web browser currently being used?
I'm Hursh, cofounder and CTO of The Browser Company (the company that makes Arc). Even though no users were affected and we patched it right away, the hypothetical depth of this vulnerability is unacceptable. We've written up some technical details and how we'll improve in the future (including moving off Firebase and setting up a proper bug bounty program) here: https://arc.net/blog/CVE-2024-45489-incident-response.
I'm really sorry about this, both the vuln itself and the delayed comms around it, and really appreciate all the feedback here – everything from disappointment to outrage to encouragement. It holds us accountable to do better, and makes sure we prioritize this moving forward. Thank you so much.
Was the post written for HN users only? I cannot see it on your blog page (https://arc.net/blog). It's not posted on your twitter either. Your whole handling seems to be responding only if there is enough noise about it.
Hursh, can you please respond to the above commenter? As an early adopter, I find it fairly troubling to see a company that touts transparency hide the blog post and only publicly "own up to it" within the confines of a single HN thread.
Comments further down are concerned that on each page load, you're sending both the URL and a(n identifiable?) user ID to TBC. You may want to comment on that, since I think it's reasonable to say that those of us using not-Chrome (I don't use Arc personally, but I'm definitely in the 1% of browser users) are likely to also be the sort of person concerned with privacy. Vulnerabilities happen, but sending browsing data seems like a deliberate design choice.
There isn't really anything you can do to convince me that your team has the expertise to maintain a browser after this. It doesn't matter that you have fixed it, your team is clearly not capable of writing a secure browser, now or ever.
I think this should be a resigning matter for the CTO.
no mention of the pitiful bounty reward (2000 usd). only sorry and thanks. Please award this person a proper bounty.
Jump in the discussion.
No email address required.
White hat hackers might as well do it for free, lol
Jump in the discussion.
No email address required.
ikr? this is a tasty butt exploit
Jump in the discussion.
No email address required.
More options
Context
More options
Context