@@oyeezy *Revelation 3:20* Behold, I stand at the door, and knock: if any man hear my voice, and open the door, I will come in to him, and will sup with him, and he with me. HEY THERE 🤗 JESUS IS CALLING YOU TODAY. Turn away from your sins, confess, forsake them and live the victorious life. God bless. Revelation 22:12-14 And, behold, I come quickly; and my reward is with me, to give every man according as his work shall be. I am Alpha and Omega, the beginning and the end, the first and the last. Blessed are they that do his commandments, that they may have right to the tree of life, and may enter in through the gates into the city.
* Proprietary browser made by a for-profit startup * Requires an account to use * Pinky-promises absolute privacy yet gives the browser away for free and expect to be profitable * Already had a vulnerability worthy of a 9.8 CVSS * Valued the bounty for said 9.8 CVE a measly $2000 Yeah, I'm staying as far away from that as possible...
Yeah, it seems like it could be an opt in feature. Offline users could have an encrypted config file that they could sync between devices if they want so they could use their own sync service of choice like syncthing, etc. even the ease of syncing JavaScript overrides between devices is an oversight.
@@aaaaaa-hh8cqBecause some idiots will try anything except for chrome, it's like they think google is this bad guy and everyone else is an angel, they all get your data, might as well just use chrome and it's really secure and up to date, unlike these 3rd party shitty browsers.
xyzeva had a good quote in her article that was like “firestore is a database-as-a-backend service that allows for developers to not care about writing a backend”
When I first heard of Arc I said "if it's not open-source, or doesn't have very public audits, not interested", I got a lot of hate. Now here we (predictably) are lol.
@@heroe1486 Majority of the "I got hate for saying..." posts on Reddit I've seen are basically prompted by the 1 or 2 people (out of 10s) not agreeing with the OP. Can't take them seriously anymore.
Funnily some reddit users will love to use a new web browser built by a random stranger with privacy in mind lol 😅 Mostly those are just other browsers themed with fishy behaviors or closed source
whenever I hear someone or company is using Firebase, soon after, I hear there is an exploit on their apps because the developers simply didn't know what they are doing. I wonder how many other multimillion dollar apps were developers that don't know what they are doing
Everything old is new again. When people figured out what SQL inject was you came to find out tons of web apps we're vulnerable because the devs never thought someone would put SQL into a text box.
@@lilium-orchid Devs are users. Users of the hosting platform. Devs write bad codes all the time. What I'm trying to say is it isn't wild to store executable code. It's wild to make such noob mistake with security rules.
I really wish the firebase rules were reversed. Everything locked down by default and you have to explicitly allow read/write for things. Would make life so much easier.
It is! Default rules are deny all. But most devs will change it to allow all by default while building. However if you created a firebase firestore instance right now, it gives you a few weeks of allow all (allow if date less than x date). but after that, you have to config the security rules.
What I like to do is to basically only allow READ operations if you're connecting to firebase from the client-side, and writes/updates are only done through Cloud Functions with all the authorization logic in there. Feels easier to manage and doesn't require writing weird firestore rules for authorization, schema validation and etc.
@@TFE6979 You are losing a lot of efficiency doing that. The whole point of firestore is the ability to read/write directly from the client. Spending the 2 hours to get good at the rules isn't that hard. We use CloudFunctions for when creating the rule would be challenging. Like sharing content. But most of the time, everything is done client side.
Ordinarily I would blame BAAS for accidentally permitting types of updates that don't make sense, but this particular mistake actually sometimes happens in APIs that use ORMs too , because all it requires is for the set of updated fields to be specified as a dictionary
Don't forget the bazillion chromium and Firefox forks like zen, floorp, min etc that could all potentially face this. Trust the first party (chrome and Firefox) because they likely have actual security.
I tried it. For the same configuration it uses twice or more ram (scales up massively) than Firefox. So no, I use my custom css and sidebery in og Firefox and life's good. Your mileage may vary.
@@solvek2196 comparing the 2 I'd prefer arc too, but at least the coming years I'd be too afraid to get bank details or similar stuff leaked. But I'm probably a bit paranoid there.
I tried switching, but Arc just nails so much stuff. The control+tab tab switcher, the split screen windows, the spaces and profiles, the keyboard shortcuts They make it so hard to switch (i can't even transfer data over)
i was using that a few days ago but then i switched to ungoogled chromium for the right click emoji and the homepage extension i like. currently trying brave to see what it's like.
@@c49f65 Good point. Don't use online password managers. KeePass is a great solution. Don't put your entire password db in the hands of some for-profit company and their promise it's totally secure. Seriously. If you need to create an account, it's not private. Either you and only you own it, or you're getting fucked at the next data breach.
And people like Theo shouldn't be anywhere teaching anything related to programming, he's just as those guy, a soydev with weak and shallow CS/programming knowledge that misguides beginners.
i really hate that guy for being such a "nice jerk", if you know what i mean always acting as if it's understood that he's morally correct and whatever he does cant be wrong. i watched 4 videos and was out by the half of the 5th.
@@pu239 Have you seen the DarkViperAU videos on Theo? I was already uncomfortable with watching some of Theo's videos (reading articles verbatim, "react" content, etc.), and then DVAU sold me on unsubbing for good.
Or they should just invest more in hiring people in charge of security. They have people who worked on Chrome and Safari, they have part of the browser know-how on board, but it would seem not all
@@willi1978 I've started used it recently and like it for the vertical tabs. The native ones (in Nightly) are ugly af and so are the extensions. Zen does them better but I still hope something Firefox-based comes close to the Vertical Tabs chrome extension.
Even if this mistake was clearly Arc's, directly exposing your database to the browser makes these kinds of vulnerabilities much more likely. It's why we're moved away from Supabase as well.
To fellow users: I’ve encountered several frustrating issues with this browser, such as crashes and login failures. It seems that feedback isn’t being properly addressed by the developers either. If you’re facing similar problems, I encourage you to speak up and share your experience so that these issues get the attention they deserve. Let’s hope the developers take action and improve this browser for everyone!
I love how BaaS doesn't fit the acronym, no matter how hard you try. It's like, as hard as people try and shove SaaS into their project, that's how hard you had to go to make that acronym.
The simple fix is instead to set specific fields to Locked in Firebase, not checking whether they match etc... the built-in created field is also of "locked" type already
I asked Arc's AI if it was safe to use the browser after this information and it said no. That it is better to wait for the developers to announce the fix of the flaw.
Question- does Boost only work with JS executable script? Seems like a big risk. Can it not be some data values that stores HEX values for colors? Is there additional functionality that boost provides? Also, anybody who logs in to their browser to be synced across devices need to be aware of the risk that your browsing data has been stored in a location outside your local machine which is always susceptible to data breach.
Claiming Firebase did nothing wrong when they allow you to bypass authentication that easily is a bit of a miss. If a system's fundamental design encourages bugs with this level of potential impact, the fundamental design IS WRONG.
Now a hacker will only need to find someone else’s user id. It’s the same difficulty as finding a signature of a signed url. This is not really a serious vulnerability
May be a silly question but how would a malicious user get another user/“target” user id? I get the ability to change and force someone else to execute is bad……but how would they know who they were attacking and if the userId is even valid or not?
According to the hacker's article about the exploit the referral system shares your user ID in both directions, and publishing customisations or "easels" also exposes your user ID. So you'd be able to find people to attack even if you can't guarantee that a specific user will be vulnerable.
The biggest problem is that Firebase allows you to send data to unsuspecting users and they don't even have to accept/review it. It also stores what should be in local WebStorage with Google in unencrypted format, big problem if you're claiming to be all about security and privacy.
That's not a firebase issue. Literally any Javascript script can do the same thing no matter what backend you use, or even without a backend. If the dev stored unencrypted data to your local storage that's on them. What sucks is Arc loaded this code as part of its base functionality. Ugh.
the fact that it defaults to off after 30 days means Firebase expected this issue, but didn't want to risk making things too hard for people because they might lose a customer. So they chose lax security for 30 days.
Arc makes the impression of a product made by UI/UX experts, but having so many security holes is just not acceptable for a browser. I stopped using Arc when I installed it on the new machine. After logging in, it merged all my workspaces, mixing all the credentials and passwords of my personal and work environments. I would consider using it again, but only once will the rest of the world beta-test it. I really loved using it but had to switch to Edge because I could kinda configure it similarly to Arc.
This is unacceptable. You have to keep in mind that Arc is already used as the default browser at many companies. Both those and consumers could've gotten impacted to a degree I don't even want to imagine. In an ideal world I would've expected VCs to pull funding but they probably got even more money because of the publicity.
I don't know why people keep assuming that primarily-macOS devs are well-verse in security, when macOS handles so much for you that you obviously are going to get used to not covering your own bases, IMHO
I've been using Firebase in the beginning of my career and seeing this mistake such as security misconfiguration or prolly never configured at all from the beginning is funny.
Critical infrastructure software should be designed with restrictions applied by default and developers should be forced to specify exact restrictions to ease while implementing it.
I was terrified about this vulnerability because I thought someone was going to use it to push their new JavaScript framework onto my computer.
Haha. That's ok, they just stole your data. Business as usual.
That's what your boss would do if they knew how to use a computer
Now that's what I call a funny joke ..
Why wouldnt you want your apps to be blazingly fast?
No, that’s what ‘npm’ is for 👍
3:41 ayy made it into a fireship video
Congrats lol
And from threads ofc hahaha
Update your resume asap
Great cameo bro🎉
It's only downhill from here on
luckily i was safe from this exploit by using arc on windows where 95% of the features from the macOS version are literally not implemented 👍
I was litteraly thinking the same things lol
luckily I was safe by not using this spyware jank browser and not using either of those oses
@@gg-gn3rebut the real question is, what has more spyware? Those two OSes or the browser
@@gg-gn3re Linux users taking every single change they can to let people know they use linux
i only use arc on school windows computers because it’s so new that the schools haven’t blocked it yet :D
YES!! First exploit I can actually understand 🎉🎉🎉
same o
Try some ctfs I swear if you find some at your level it's gonna be fun
@@oyeezy
*Revelation 3:20*
Behold, I stand at the door, and knock: if any man hear my voice, and open the door, I will come in to him, and will sup with him, and he with me.
HEY THERE 🤗 JESUS IS CALLING YOU TODAY. Turn away from your sins, confess, forsake them and live the victorious life. God bless.
Revelation 22:12-14
And, behold, I come quickly; and my reward is with me, to give every man according as his work shall be.
I am Alpha and Omega, the beginning and the end, the first and the last.
Blessed are they that do his commandments, that they may have right to the tree of life, and may enter in through the gates into the city.
regardless of any security issues, i still don't trust a VC-backed browser
zem
VC?
@@Sidharth_V_Jain venture capital
I don't trust any browser that requires me to login to use it.
@@Sidharth_V_Jain Victor Charlie XD
* Proprietary browser made by a for-profit startup
* Requires an account to use
* Pinky-promises absolute privacy yet gives the browser away for free and expect to be profitable
* Already had a vulnerability worthy of a 9.8 CVSS
* Valued the bounty for said 9.8 CVE a measly $2000
Yeah, I'm staying as far away from that as possible...
This is why I prefer Zen, it looks as good as Arc but is built on Firefox, open source and not made by some suspicious company
Well, it was made for apple users first... so what to expect.
Then it was released for windows, but only 11, initially. Suspiciously baffling.
They upped it to 20k
@@7heMech And a job offer to Eva ✌
I just came here to say "Nearly? I'm not touching that browser with a 10 foot pole".
"I use Arc, by the way."
Really, that aged well.
do you mean "i use arch, by the way"?
totally different thing
You're not smart ya know @@lilyeatssoup
@@lilyeatssoup I bet jordank was serious too. guy better wear his helmet before going outside, might hurt himself
@@lilyeatssoup Typical Arch user not knowing what a joke is (I use Arch btw fr)
@@Kreze202Someone finally caught the reference. Good God, I thought it was obvious.
Shouldn't have to have an account to use a browser in the first place. Huge red flag. But w/e
Yeah, it seems like it could be an opt in feature. Offline users could have an encrypted config file that they could sync between devices if they want so they could use their own sync service of choice like syncthing, etc. even the ease of syncing JavaScript overrides between devices is an oversight.
Firefox has an account system? It’s stunningly useful for syncing your bookmarks and passwords across devices.
@@hastyscorpion Yeah, but unlike Arc, Firefox doesn't force you to sign in before using the browser
@@hastyscorpion the argument isn't against accounts as a feature, it's against forcing it onto everyone.
Vivaldi and Firefox also have account systems, but they are not forced. Odd of Arc to force that, but they do.
Arc FAQ: "Rest assured that your data and security is of utmost importance to us".
Real life: "Databases hard, access control not understand".
I installed arc on windows and it was so bad and raw I literally uninstalled in 5 minutes.
idk why people like this sh*t
@@aaaaaa-hh8cq only mac users
@@aaaaaa-hh8cqBecause some idiots will try anything except for chrome, it's like they think google is this bad guy and everyone else is an angel, they all get your data, might as well just use chrome and it's really secure and up to date, unlike these 3rd party shitty browsers.
xyzeva had a good quote in her article that was like “firestore is a database-as-a-backend service that allows for developers to not care about writing a backend”
I peeked at xyzeva's Twitter account. That was a huge mistake.
His?
@@MarvinPowell1 her twitter presence is so normal 😭
@@nothingtoseehere93her*. Fireship misspoke and corrected himself with an onscreen correction.
@@MarvinPowell1 A mistake as in wasting your time? nothing there was particularly interesting
the way to sneak Diddy in the video was really great
And also a Michael Brown "didndu nothin wrong" joke as well, firebase has crossed into menace territory with the jokes 😮
But how would you find someone's account id in the first place?
Imagine using Google Maps to visit the near McD's and you end up getting diddled by Diddy.
😂😂
McDiddy's
five nights at diddy's
But how would you find someone's account id in the first place?
😂😂😂
When I first heard of Arc I said "if it's not open-source, or doesn't have very public audits, not interested", I got a lot of hate. Now here we (predictably) are lol.
Hate from who ? Reddit kids that have written their first Todo list in React last week ?
@@heroe1486 usually developer communities I help educate lol. So kinda
@@heroe1486 Majority of the "I got hate for saying..." posts on Reddit I've seen are basically prompted by the 1 or 2 people (out of 10s) not agreeing with the OP. Can't take them seriously anymore.
@@heroe1486 "Got hate for saying" usually means they got 2-3 downvotes on Reddit.
Funnily some reddit users will love to use a new web browser built by a random stranger with privacy in mind lol 😅
Mostly those are just other browsers themed with fishy behaviors or closed source
3:00 intercepting gmaps and redirecting you to diddy's mansion is just pure evil LMAO
Really evil😂
But how would you get someone's id in the first place though?
00:12 so many memories. This was in my primary school. Seeing this poster in Head Teachers office.
0:47 Ha, Firebase changes their logo!
There is a thing called "Tree Style Tab".
The horizontal tab bar can be removed with some css.
And Sidebery
whenever I hear someone or company is using Firebase, soon after, I hear there is an exploit on their apps because the developers simply didn't know what they are doing. I wonder how many other multimillion dollar apps were developers that don't know what they are doing
Everything old is new again. When people figured out what SQL inject was you came to find out tons of web apps we're vulnerable because the devs never thought someone would put SQL into a text box.
I'm not a multimillion dollar app developer and I also don't know what I'm doing.
A lot
4:05 love a smooth ad transition 😎
Storing executable code is wild
There will be more exploits because of this. It's inevitable.
You know what else stores executable code? Web servers
GitHub?
@@rompis.a The difference here is that the executable code can be written by a user.
@@lilium-orchid Devs are users. Users of the hosting platform. Devs write bad codes all the time.
What I'm trying to say is it isn't wild to store executable code. It's wild to make such noob mistake with security rules.
4:52 why is the spacebar censored? 👀
You know why. We can’t say it out loud, but we all know why.
If he knew why, I wouldn't be writing this sentence.
We can't say that here
because it says ********
Very NSFW.
And people were mocking me for not wanting to use browser with forced login.
Getting mocked by soydevs is generally a good indicator that you're right
Holy shit, this is gold, you fit in a promo for your firebase course & today's sponsor all within the flow of the video, legend!
Eva is an absolute legend at this point. She’s exposed security flaws in over 100,000 websites using Firebase and now even Arc Browser. Holy!!
@@anon_148Nah
Who is eva
@@rishabhgupta655 eva deez nuts
@@rishabhgupta655 Probably a dude
@@rishabhgupta655zx3eva, the hacker who found the exploit.
Feels so good to see a fireship video that is not an ad
But it's an ad for Firebase.
ngl the one day turnaround on the patch is actually pretty impressive
Like an arc of lightning, my private browser info can go anywhere
even sponsership ad looks interesting when @Fireship talks about it xD
I really wish the firebase rules were reversed. Everything locked down by default and you have to explicitly allow read/write for things. Would make life so much easier.
yeah, like postgres' row level security! it makes services like supabase feel so nice to use
It is! Default rules are deny all. But most devs will change it to allow all by default while building. However if you created a firebase firestore instance right now, it gives you a few weeks of allow all (allow if date less than x date). but after that, you have to config the security rules.
What I like to do is to basically only allow READ operations if you're connecting to firebase from the client-side, and writes/updates are only done through Cloud Functions with all the authorization logic in there. Feels easier to manage and doesn't require writing weird firestore rules for authorization, schema validation and etc.
Damn thats smart @@TFE6979
@@TFE6979 You are losing a lot of efficiency doing that. The whole point of firestore is the ability to read/write directly from the client. Spending the 2 hours to get good at the rules isn't that hard.
We use CloudFunctions for when creating the rule would be challenging. Like sharing content. But most of the time, everything is done client side.
"We're not like Chrome, we're private and secure". Private and secure my donkey. What a circus.
I dont even know Arc Browser existed, this video made me use it today.
Ordinarily I would blame BAAS for accidentally permitting types of updates that don't make sense, but this particular mistake actually sometimes happens in APIs that use ORMs too , because all it requires is for the set of updated fields to be specified as a dictionary
Watching this on Arc Browser.....
Fireship basically shipping based news about Firebase which ships Databases as a basement. ❤️
That's why I never jump on hype trains. The first time I hear it needs an account to use, I was like nah....
🧑🏻🦰🧑🏻🦰Me too but in the end the geek inside me surrendered with my email ✉️
Theo was pushing Arc lmao Like the saying, better the devil you know...
Don't forget the bazillion chromium and Firefox forks like zen, floorp, min etc that could all potentially face this. Trust the first party (chrome and Firefox) because they likely have actual security.
@@Johnny91832 same thing happening with vscode clones lol 😅
@@Johnny91832the fact you trust chrome of all things in this universe while taking about privacy is wild to me.
This vulnerability made me discover the zen browser. So, I'd say a win for me.
I tried it. For the same configuration it uses twice or more ram (scales up massively) than Firefox. So no, I use my custom css and sidebery in og Firefox and life's good. Your mileage may vary.
I tried zen but much prefer arc. This isn't a very good look for arc though.
@@solvek2196 comparing the 2 I'd prefer arc too, but at least the coming years I'd be too afraid to get bank details or similar stuff leaked.
But I'm probably a bit paranoid there.
Vivaldi is just the best
I tried switching, but Arc just nails so much stuff. The control+tab tab switcher, the split screen windows, the spaces and profiles, the keyboard shortcuts
They make it so hard to switch (i can't even transfer data over)
firefox + ublock keep winning no matter what
i was using that a few days ago but then i switched to ungoogled chromium for the right click emoji and the homepage extension i like. currently trying brave to see what it's like.
this aged well
If you need to create an account for something that's private and secure, it's not private and secure.
teeeny tiiinnyy mayybe secure but definitely not private
Password Managers?
@@c49f65 Good point. Don't use online password managers. KeePass is a great solution. Don't put your entire password db in the hands of some for-profit company and their promise it's totally secure.
Seriously. If you need to create an account, it's not private. Either you and only you own it, or you're getting fucked at the next data breach.
@@c49f65 Ever heard of KeepassXC?
Your bank?
This was recommended to me the whole day, now that you changed the title, I will finally watch the video, thank you.
Talk about a ‘whoops’ moment! 😬 It's crazy how one small oversight can lead to such a huge security hole.
I liked how Theo took his time to shift the blame on Firebase. The truth is, these people should not be anywhere near a team implementing a browser.
And people like Theo shouldn't be anywhere teaching anything related to programming, he's just as those guy, a soydev with weak and shallow CS/programming knowledge that misguides beginners.
i really hate that guy for being such a "nice jerk", if you know what i mean
always acting as if it's understood that he's morally correct and whatever he does cant be wrong. i watched 4 videos and was out by the half of the 5th.
@@pu239 Have you seen the DarkViperAU videos on Theo? I was already uncomfortable with watching some of Theo's videos (reading articles verbatim, "react" content, etc.), and then DVAU sold me on unsubbing for good.
@@muizzsiddique i will, thanks
Or they should just invest more in hiring people in charge of security.
They have people who worked on Chrome and Safari, they have part of the browser know-how on board, but it would seem not all
We don't need the patch, because we already left Firebase after that pricing change
Great find ... good to know firebase rules do handle this vulnerability.
Not surprising that Firebase users don't know what they are doing, just hire a backend developer.
no diddy hackers
First , also I think that we should rather use zen browser or firefox instead of arc browser or chrome properitory
thanks for sharing, loved zen
I like zen. Only necessary bars and most of the window to show the website. All other browser features I don't need
@@willi1978 I've started used it recently and like it for the vertical tabs. The native ones (in Nightly) are ugly af and so are the extensions. Zen does them better but I still hope something Firefox-based comes close to the Vertical Tabs chrome extension.
I like Zen, but I miss the new tab UI with arc, it just feels much nicer to use for me
@@corvacopia yeah, the overall experience is pretty awesome and solid
I have never clicked "Restart and Update" so fast in my life.
0:15 how is that news fake?
Lol
Directly.
Based fireship
Even if this mistake was clearly Arc's, directly exposing your database to the browser makes these kinds of vulnerabilities much more likely. It's why we're moved away from Supabase as well.
That Diddy joke was smooth :)
1:38 - Why would you want to remix this? That would be like painting over the Sistine Chapel.
To fellow users:
I’ve encountered several frustrating issues with this browser, such as crashes and login failures. It seems that feedback isn’t being properly addressed by the developers either. If you’re facing similar problems, I encourage you to speak up and share your experience so that these issues get the attention they deserve. Let’s hope the developers take action and improve this browser for everyone!
AND screw you ARC Developers
I also experienced relatively poor performance, even compared to Chrome
give up and leave that browser
I'm glade that none of my data got stolen
I've never seen bugs and glitches that much in any application. but arc is still cool
I love how BaaS doesn't fit the acronym, no matter how hard you try.
It's like, as hard as people try and shove SaaS into their project, that's how hard you had to go to make that acronym.
The simple fix is instead to set specific fields to Locked in Firebase, not checking whether they match etc... the built-in created field is also of "locked" type already
3:38 Is the $500M valuation another joke? Surely that can't be real. This thing is not even visible on the Statcounter browser market share chart
Probably it shows up as chromium
"There was an attempt"
Honestly I would still give them some time, they are a relatively new company and has responded appropriately to the situation
congrats to arc on trying to be a new browser in today's market
I asked Arc's AI if it was safe to use the browser after this information and it said no. That it is better to wait for the developers to announce the fix of the flaw.
"how arc narrowly avoided an iceberg" is perhaps one of the funniest tech jokes in history.
Exactly why I stick to custom firefox with tree style tabs instead of all these new wannabe browsers..
watch his new video lol
@@karersio7062 💀💀
more aesthetic a program is... more exploits it has
Looking at the thumbnail, I thought this video is about Freemason. The Arc Browser logo is really similar to Freemason logo.
Good job I don't use the feature that incurred the vulnerability because it reeked of "why the fuck would I want that"
1:13 I just found out! It turns out Arc Browser is written in Swift.
same😂
yeah wtf
Taylor Swift?
@@MarvinPowell1Apple’s Swift.
@@szymex22 Tim Swift
Are we pivoting to clerkship?
My favorite part is the "bad things with the power of Javascript"
And it has announced that it will stop all updates except for security updates going forward.
Question- does Boost only work with JS executable script? Seems like a big risk. Can it not be some data values that stores HEX values for colors? Is there additional functionality that boost provides?
Also, anybody who logs in to their browser to be synced across devices need to be aware of the risk that your browsing data has been stored in a location outside your local machine which is always susceptible to data breach.
Claiming Firebase did nothing wrong when they allow you to bypass authentication that easily is a bit of a miss.
If a system's fundamental design encourages bugs with this level of potential impact, the fundamental design IS WRONG.
Allow me to introduce you to C/C++....
Horrible languages, allowing unsafe code!!!
3:54 Riskiest part of the video.
He'll go there but not 1:18, lol.
@@9hoot789 Nice catch, hah.
😂😂 Diddy's mansion was just chilling the boom 💥. Alice has arrived
Always had mixxed feelings about using Arc but figured it was so much better than everything else - time for zen browser
Now a hacker will only need to find someone else’s user id. It’s the same difficulty as finding a signature of a signed url. This is not really a serious vulnerability
May be a silly question but how would a malicious user get another user/“target” user id? I get the ability to change and force someone else to execute is bad……but how would they know who they were attacking and if the userId is even valid or not?
Probably just brute force. They can randomly try IDs until they get a hit. Hackers are often not looking for a specific target but rather any target.
Brute forcing is one
According to the hacker's article about the exploit the referral system shares your user ID in both directions, and publishing customisations or "easels" also exposes your user ID. So you'd be able to find people to attack even if you can't guarantee that a specific user will be vulnerable.
@alhypo @harshshah2549 How are you geniuses planning to "bruteforce" ~30 character alphanumeric case sensitive firebase uuids?
The biggest problem is that Firebase allows you to send data to unsuspecting users and they don't even have to accept/review it. It also stores what should be in local WebStorage with Google in unencrypted format, big problem if you're claiming to be all about security and privacy.
That's not a firebase issue. Literally any Javascript script can do the same thing no matter what backend you use, or even without a backend. If the dev stored unencrypted data to your local storage that's on them. What sucks is Arc loaded this code as part of its base functionality. Ugh.
Stopped using arc a long time ago.
This sounds like a bad security default on Firebase. I don't blame Arc based on what you said. Things should be secure by default.
the fact that it defaults to off after 30 days means Firebase expected this issue, but didn't want to risk making things too hard for people because they might lose a customer. So they chose lax security for 30 days.
InteresteingInteresteing that there's no one talking about Arc browser glazers here
i installed acr and the minute i saw creating user account it mandatory it uninstalled it
Arc makes the impression of a product made by UI/UX experts, but having so many security holes is just not acceptable for a browser.
I stopped using Arc when I installed it on the new machine. After logging in, it merged all my workspaces, mixing all the credentials and passwords of my personal and work environments.
I would consider using it again, but only once will the rest of the world beta-test it.
I really loved using it but had to switch to Edge because I could kinda configure it similarly to Arc.
If they claim to be private and secure they can't point fingers at other people
This is unacceptable. You have to keep in mind that Arc is already used as the default browser at many companies. Both those and consumers could've gotten impacted to a degree I don't even want to imagine. In an ideal world I would've expected VCs to pull funding but they probably got even more money because of the publicity.
I don't know why people keep assuming that primarily-macOS devs are well-verse in security, when macOS handles so much for you that you obviously are going to get used to not covering your own bases, IMHO
Man I love Arc. I hope they fix it well.
wooooow i’m so shocked it’s almost as if people were joking about it and then it happened 😭
2:06 you can't handle the truth
How are they so sure it wasn’t exploited?
I prefer Zen rn. We'll see how it goes
The lesson learned is as usual in recent times "don't store your shit on the cloud you have 0 insight into"
The amount of shit that people do with firebase is astounding. I think we can add Firebase to the list of 3 hard things in software development.
I've been using Firebase in the beginning of my career and seeing this mistake such as security misconfiguration or prolly never configured at all from the beginning is funny.
next video : how clerk exposer millions of data by mistake
3:00 is wild bro
Nothing about the Wordpress drama?
Critical infrastructure software should be designed with restrictions applied by default and developers should be forced to specify exact restrictions to ease while implementing it.
I've not even heard of this browser.
I use arc on windows. Luckily for me arc on windows does not have boosts so I wouldn't have been hacked.
But why is user configuration stored in cloud and not locally? Staying away from that.