There are a lot of major security vulnerabilities in the world that were made understandably, and can be forgiven if they're handled responsibly and fixed.
This is not one of them. In my opinion, this shows a kind of reputation-ruining incompetency that would convince me to never use Arc ever again.
aug 25 5:48pm: got initial contact over signal (encrypted) with arc co-founder hursh
aug 25 6:02pm: vulnerability poc executed on hursh's arc account
aug 25 6:13pm: added to slack channel after details disclosed over encrypted format
aug 26 9:41pm: vulnerability patched, bounty awarded
sep 6 7:49pm: cve assigned (CVE-2024-45489)
Four hours from out-of-the-blue initial contact until a fix pushed is pretty good, even given how simple this fix probably was.
EDIT: Oh, the date changed; so it was 28 hours until fix. Still decent; and half an hour from initial contact to "Join our slack channel" is incredibly fast response time.
Reacting fast is the least the vendor could do. Bare minimum. This should not be applauded. It should be treated as "well, at least they reacted at a reasonable speed so the root cause was probably not malice".
In other words, a quick turnaround with a fix does not lessen the impact of being negligent about security when designing the product.
It's certainly the least a vendor should do, but it's absolutely not the least a vendor could do, as we see the vast majority of vendors do far, far less. It's worth holding people up and saying, "This is how you should be doing it."
You’re technically correct, given a literal reading of the post you quoted, but the use of “could” there was idiomatic - let me explain:
There’s a (fairly dated) idiom, “it’s the least I can do”, used when you are offering to do something to make up for a mistake or offense, but the person you hurt says your offer of compensation is unnecessary. For example:
Situation: Person A bumps into Person B in the cafe, causing B to drop their coffee cup.
A: I’m so sorry! Let me buy you another coffee.
B: That’s not necessary - it was an accident, and I had almost finished my drink anyway.
A: It’s the least I can do!
B: Oh, thank you so much!
Buying B a new coffee is not _literally_ the least A could have done - the least A could have done is nothing - but that’s the English idiom. “Can” is acting more like “should” here. You could read it as “It’s the least I can do (if I’m a good person, which I am)”.
Thank you for the explanation -- when I'm speaking foreign languages I appreciate this sort of explanation. But in this case, as a native English speaker, I was well aware of the idiom, and was trying to subvert it. :-)
The original idiom is said in the first person, and as you say means essentially, "Justice and equity compel me to do this; I don't find myself able to do less".
GGP was actually using a derivative of the idiom in the second person. What the derivative literally says is, "Justice and equity compel them to do this; they don't find themselves able to do less". But idiomatically, what it actually means is, "Justice and equity ought to compel them to do this; they ought not to find themselves able to do any less".
Which is true; but it's still the case that the vast majority of companies find themselves very much able to do far less. Justice and equity should compel companies to do this bare minimum, but in the vast majority of cases it doesn't. And so we should still commend those who do find themselves so compelled, and hold them up as an example.
No Linux version prevented me from trying it, didn't even get to the account wall, who knows if there's a pay wall. Perhaps the "moat" concept was misunderstood.
Honestly I’ve always considered Arc to be a wolf in sheep’s clothing, especially when it comes to privacy.
50-60mm cash at 500mm (!) valuation and no business model is a big red flag when it comes to something as important, as personal as a browser. This is not a charity. Someone, somehow will have to pay for that.
Yeah I’m so torn. It’s honestly the best browser UX I’ve seen, the right combination of vertical tabs, auto archiving, spaces/collections, sync, etc. I don’t care for Easels, but the core is good.
Except… the growth hacks have started to creep in. They overlay an advert for their own AI services on top of regular Google search results pages in their mobile app. Not even a browser chrome UI element, it’s literally over the page content. That feels like a huge violation of what it means to be a browser.
I don’t want their AI features. I don’t want growth hacks. I don’t want to sign in except for sync. I’d happily pay $40 a year for Arc as a product-focused-product, but as a VC-focused-product it’s heading downhill.
It does get a lot right and feels smooth in ways that Chrome, the various Chrome-clones, and Firefox just don't. It's also ironically the only browser even trying to feel native on Windows, using WinUI/WinAppSDK for its UI there, despite originally being Mac only.
It's unfortunate that other cross platform browsers have such a strong tendency to phone in these little things, because they really do add up to make for a nicer experience.
I'm torn for the same reason: The UX hits all the right notes for me and I've tried every MacOS browser under the sun. I'm an ADHD sufferer and there's something about their combination of features and UI that just lets me get stuff done. And I don't even touch their AI features.
Thanks for the recommendation. I just had a quick try, it's nice, seems like a very polished Firefox. It seems to have a bunch of features I don't want in a browser so not sure if they'll get in the way.
Vivaldi feels like a cross platform port in all the ways I try to avoid. I understand the feature set is good, but it doesn't feel nice to use. Hard to state exactly why though.
Lots of developers and power users make a good chunk of Arc's use base. If you're after some interesting credentials then "every Arc user" is a perfect group with little noise.
If I had to guess, the typical Arc user is a Mac user in tech. It doesn't run on Linux, most windows users wouldn't run it, and non-tech people haven't heard of it.
Then most engineering IC people will most likely run Firefox or Chrome, so you're probably looking at designers/founders/managers as your target.
Probably some interesting targets there, but not the type that the NSA cares about. Just pure conjecture on my part of course ;).
I've seen quite a few. In one of my clients's Slack there are at least a couple people advocating for it all the time. They're mostly DLs or in similar roles. I also know at least one developer who uses it.
I used it for a while for a very limited use case. Some interesting concepts. Mostly I found it annoying though. I also didn't like the sign-in thing but still wanted to experiment. I have dropped it altogether and kept Firefox as main browser (as it's been for many years) and Safari as a secondary. Both work much better overall for my needs.
my brother uses arc browser , he is a developer .
I think he saw it from somebody using it (maybe theo t3 or some other creator he watches) , and he found it cool (plus there were lot of videos flooded with saying arc is really great IDK)
If someone finds something cool on the internet. They are going to try it , given that they are capable to do so.
He had a mac so he was able to do so , Even I tried to run arc on windows once when it was really beta and only available to mac (I think now it supports windows not sure)
I just kindly want to state that if the nsa could've bought this exploit , they could've simply waited and maybe even promote arc themselves (seems unlikely)
Maybe they could've tried to promote the numbers of arc users by trying to force google and microsoft search engine through some secret shady company advertising / writing blog posts for arc / giving arch funding or like how we know that there are secret courts in america
( and since these search engines basically constitutes for a high percentage of discovery of stuff by search engine by users)
People could've credited the success to arc in that case for getting more users but the real winner would've been NSA.
Everyone else at work likes it, so I signed up with my work e-mail address and use it for work. All of my complicated browsing needs are done for work, so there's a good fit there.
no I meant that
though you need to login , i think arc isn't available on linux , only mac (or maybe windows though not sure , I see some issues + the security issue)
Ye it required login and my brother logged in (just see ! , the amount of friction to login etc. yet my brother , whom I would consider to be a little conscious of security still gave to try it in the first place)
Firestore rules are in "lock mode" (no read or write allowed) by default since a long time. Then, everything is ultra well explained in the docs.
I was already aware of it when being a noob dev 10 years ago, and could easily write a rule to enforce auth + ownership in the rules. No way, seasoned devs can miss that.
yes. I feel sad that now we have created an incentive where selling to the govt.'s is often much lucrative than telling to the vulnerable party (arc in this case)
(just imagine , this author was great for telling the company , this is also a cross platform exploit with very serious issues (I think arc is available on ios as well))
how many of such huge vulnerabilities exist but we just don't know about it , because the author hasn't disclosed it to the public or vulnerable party but rather nsa or some govt. agency
Also, firebase? seriously? this is a company with like, low level software engineers on payroll, and they are using a CRUD backend in a box. cost effective I guess? I wouldn't even have firebase on the long list for a backend if I were architecting something like this. Especially when feature-parity competitors like Supabase just wrap a normal DBMS and auth model.
Well, it's an app that users access all their online info through - bank, email, search, work, social - everything. Even an open-source, decentralized, blockchain, grass-fed, organic, extra virgin, written in nothing but HTML, released by W3C itself browser could monetize just ~5% of market share if users are downloading their build (or if its baked into the source), considering how much a browser reveals about its user and to the extent the user can be retargeted for: Ads, marketing, surveillance, analytics.
The biggest opportunity has to be driving search traffic to the major search providers all these browsers partner with.
Could also get acquired by a major browser vendor if you have a better product and people are downloading it more than the major ones, especially if both are based on the same underlying engine. Even Firefox still sucks to this day. I'm using it right now (Waterfox) the product still sucks! I know of some browser vendors acquiring others, especially as mobile took off and it was hard to get it right.
Seems like the opportunity is similar to that of social media but slightly more modern because nobody uses new social media anymore but people are trying out new browsers (and you get richer user/usage data).
It’s the “chrome replacement we have been waiting for”, but (if I read this right), my data is still sent to Firebase? Also it’s a browser, not a “tinder but for cats” startup idea I’m writing for my cousin for a beer.
It’s not only not a smart engineering decision, it’s also a terrible product, reputation and marketing decision.
I'm not disagreeing about the severity of the security vulnerability that has been uncovered – to be clear, it's an absolute shocker of a bug. It's really disappointing to see.
But I still disagree that the use of Firebase, in and of itself, is a bad engineering decision. It's just a tool, and it's up to you how you use it.
Firebase gives you all features needed to secure your backend. But if you configure it incorrectly, then _that's_ where the poor engineering comes into play. It should have been tested more comprehensively.
Sure. You could build your own backend rather than using a Backend-as-a-Service platform. But for what gain? If you don't test it properly, you'll still be at risk of security holes.
TL;DR: it's not possible to export data from Arc, but it's possible to copy-paste the folder to a Chrome profile, and Firefox and other browsers will detect&import it.
Unfortunately, Zen Browser simply isn't an alternative. If you like Arc, then Zen's UI for tabs and splitting views isn't really anywhere close to satisfying the same needs.
I was literally using Arc because of the ability to hide most of the userchrome.
Every time I open split views or tabs I curse. I've said this in the past but layering view multiplexors has to be the most stupid modern "super-user" trap. You have the ability to open multiple browser windows and composite them side by side, use it.
Does anyone know of any other browsers that are chromium based and have very little features aside the ability to hide most of the UI?
Firefox seems to be borrowing some of the UI features slowly (at least the vertical tabs). And at least the Mozilla Foundation is very public with their wants and goals.
Browsers are very important part of our life. If someone compromises our browsers , they basically compromise every single aspect of privacy and can lead to insane scams.
And because arc browser is new , they wanted to build fast and so they used tools like firebase / firestore to be capable of moving faster (they are a startup)
Now I have read the article but I am still not sure how much of this can be contributed to firebase or arc
- Firebase allows for easy misconfiguration of security rules with zero warnings
- This has resulted in hundreds of sites exposing a total of ~125 Million user records, including plaintext passwords & sensitive billing information
So because firebase advocates itself to the developers as being safe yet not being safe , I think arc succumbed to it.
firestore has a tendency to not abide by the system proxy settings in the Swift SDK for firebase, so going off my hunch,
Also , you say that you have been convinced to never use arc again.
Did you know that chrome gives an unfair advantage to its user sites by giving system information (core usage etc.) and some other things which are not supposed to be seen by browsers only to the websites starting with *.google.com ?
this is just recently discovered , just imagine if something more serious is also just waiting in the shadows
Couldn't this also be considered a major security vulnerability just waiting to be happen if some other exploit like this can be discovered / google.com is leaked and now your cpu information and way more other stuff which browsers shouldn't know is with a malicious threat actor ?
I very much agree with the idea that browsers are security-sensitive software, unlike, say, a picture editor, and more like an ssh server. It should be assumed to be constantly under attack.
And browser development is exactly not the area where I would like to see the "move fast, break things" attitude. While firebase may be sloppy with security and thus unfit for certain purposes, I would expect competent developers of a browser to do due diligence before considering to use it, or whatever else, for anything even remotely related to security. Or, if they want to experiment, I'd rather that be opt-in, and come with a big banner: "This is experimental software. DO NOT attempt to access your bank account, or your real email account, or your social media accounts".
With that, I don't see much exploit potential in learning stats like the number of cores on your machine. Maybe slightly more chances of fingerprinting, but nothing comparable to the leak through improper usage of firebase.
hmm interesting.
Other thing to add is if we treat it as a ssh server , we actually won't try to go out and break things.
But I think that was the whole point of arc , to break the convention and be something completely new
and I have a reason why
They were competing with the giants called google , safari , firefox which have insanely large funding and their whole point was trying to sell something later built on this arc browser.
and since chrome , firefox etc. don't try to come up with these ideas because well security reasons (which I agree to / as seen in the post)
I think arc wanted to seperate itself from chrome / firefox and that's why they became a bit reckless you could say since this exploit was available.
Also the other thing I want to convey , is that "With that, I don't see much exploit potential in learning stats like the number of cores on your machine"
this was only recently discovered. Just imagine the true amount of exploits in these proprietory solutions which we don't know about.
Yeh. Just like a ssh server , I would personally like the source code to be available but developing browsers is time consuming and money intensive for developers but ladybird exists , but its in beta.
that being said , not open source is also that private , (xz) , but atleast it got discovered way quickly and was able to mitigate it quickly
> Did you know that chrome gives an unfair advantage to its user sites by giving system information (core usage etc.) and some other things which are not supposed to be seen by browsers only to the websites starting with *.google.com ?
That's pretty interesting. Where can I learn more about this?
I recall there being a thread with way more discussion at the time, but I can't put my finger on that thread right now. This post has some information:
>>Did you know that chrome gives an unfair advantage to its user sites by giving system information (core usage etc.) and some other things which are not supposed to be seen by browsers only to the websites starting with *.google.com ?
Yeah so using chrome based browsers like Arc is giving more power to Google to do shady stuff while also being a victim of the third party unsafe code.
This is not one of them. In my opinion, this shows a kind of reputation-ruining incompetency that would convince me to never use Arc ever again.