Since recording this video, Browser Company has taken things VERY seriously. Quick list of things since: - Browser Company has an official bug bounty board - Eva found another exploit that was fixed and paid for Wild ride.
@@ivan.jeremic they're doing something Flutter/Kotlin Multiplatform like, but with Swift. I don't know why exactly, because Zen Browser seems close in functionality and seems to rely on React or something?
@@BitWizCoderBuilding a browser on top of Chromium that’s so far off from stock chromium is still a massive thing. If you can do that, you should 100% be able to build a simple backend.
I think you don't see an elephant in the room... why the hell THE BROWSER mandates to create account just to use it?? I mean, I use Firefox and I have an account for sharing tabs across devices... But I only created it in 2022 voluntarily, when moved to mobile Firefox, and before that I just was using it without any account for almost a decade.
basically! the default in a custom-made rest api is no data is accessible. in firebase, the default is all data is accessible. in a rest api you write code to give users access to data. in firebase you write (an admittedly smaller amount of) code to disable user access to data
yes but its not just this alone the last 10 years were a nightmare . Its really hard to summarize it , you have web dev who do things in browser which weren't meant to while browser stayed on JS and have no security domains, cloud also open some angles for attack . I recently learned about Microsoft Cloud for Infrastructure and what tools and how many custom protocols are used to remote control windows OS systems madness would not be enough to explain it. Its just not a feeling that the flying forces have increased in the past it was something 2 security alerts peer week on my favorite IT news site now it is on near daily interval often muilply a day.
@@zuma206 isn't the default for like 30 or 90 days to open everything and then it automatically closes everything (if you didn't set your own stuff)? Or is that new? (I "recently" did that the first time and when I heard the news about Arc I was confused, because you can set all that up and ~isAuthorized and ~isSameID didn't seem so far fetched)
I think I know the process now - it's basically half truth. The most unhinged sh*t that you can say - take it out of context and voila there you have it!
@@DavidHust I agree. I don't watch Theo's videos because of the clickbait titles and thumbnails. I only watched the first 30 seconds of this video to see how he would spin the title into the story.
The thing that is really shocking to me is that they dont follow their own privacy policy by logging the websites you visit. This is a no go for me and I dont want to have this piece of spyware on my PC.
They collecting each website visit when they clearly say in their policy they don't. And no accountability on this major privacy issue? Just glance over?
The privacy issue seems arguable. From that query, they don't store the domain, unless they are logging it in firebase or Google fails at managing the privacy
I have no idea why this got assigned a CVE. This is not a bug in Firebase, it’s a bug in Arc. It was bad developers not reading documentation correctly and not setting up the database structure correctly. They could’ve easily set the database structure up so boosts were a sub collection on user database documents named with their uid and only allowed users who’s uid matched the users document name to read and write from that sub collection. It’s simple. Rushed code = bad code. This sounds like a case of rushed database design, poor internal checking of the design and rushed execution
I think people should be more interested in creating their own content. you don't have to have a cat like the one on her website just come up with your own creative things. go find out how they did it and just learn from that.
There is no way I will give Arc another try especially because you can't use it without an account and they clearly don't care about user privacy at all. Maybe now they start to care about security but that shouldn't be an afterthought...
They need that to sell cloud 😅😂😂 at this point everyone is taxing everyone as much as possible just not to use their own computers. It is the whole premise of serverless, cloud, and other as service crap. The rot goes deep. They just cant allow one to save their damn scripts on local and move them manually if they want
Dude that browser base demo. I almost never watch sponsored content but it was cool and almost not enough. Nice. I’ll be going to check them out. Immediate value prop
2:05 "firebase was the cause". No. This is not true. It's not a firebase specific issue. It's an arc developers skill issue - they did authn by user id, instead of authn by signed/verified token, in firebase security rules. Firebase and cloud is generally a little unbased, but it's not the root cause. It's literally arc devs made code which does authn by user id instead of a signed/verified token. EDIT: Exchanged with theo on x, and actually it's probably not fair to say this isn't somewhat firebase specific issue, since the firebase docs do have unacceptable security rule examples where it includes rules which fail to include request.auth none checks which would even bypass request.auth.uid checks and that's a bit crazy and definitely going to increase the rate of security issues where skill or lapse in judgement occurs.
The official example in the Firebase docs is vulnerable to this exploit. Three other websites have been found with the same exploit since. Eva has a long post about how common this particular config is.
If you don't see how firebase enables this specific type of issue you shouldn't be using firebase. And if you do see how firebase enables this specific type of issue then you also shouldn't be using firebase.
@@t3dotgg Then that's a Firebase _docs_ issue, not a Firebase _functionality_ issue. Postgres also has row-level security, but it's not on by default. If what you're saying is that having row-level security be the *only* security mode is a bad feature, then I would agree with you, but the fact of the matter is that a properly configured Firebase store would not be subject to this exploit. The "cause" was the Arc devs' use of Firebase's less-than-ideal defaults, due to either ignorance or carelessness.
@@cobrasys ok but it's still a Firebase issue. Theo didn't specy what part of Firebase had an issue. They should teach users to use security features securely. Don't downplay it.
@@benargee They absolutely should teach their users how to use their product securely, no doubt about that, but saying it's _purely_ a Firebase issue is misleading. The product itself doesn't have a vuln or a flaw. Let me put it another way: if a stapler manufacturing company doesn't put "don't staple your buttcheeks together" in the manual, when someone invariably does it, you wouldn't say it was a _stapler_ problem, would you?
15:48 "They're new to this, they have no idea what they're doing" Maybe they shouldn't just build a browser with half-assed features like this and put all of their users' data on the line. This is just plain amateur grade software development. If you'd push such an half-baked, insecure feature like this in a "normal", non-startup corporation, you'd immediately get fired for this. This level of unprofessionalism developing features with somewhat trivial exploits is just unacceptable for a product like this. There should be QA, there should be internal security testing before a feature like this even reaches its alpha stage.
That's extremely harsh small permissions bugs are found all the time in software. And browsers are extremely complex sure using chromium helps a lot but its still a massive surface area for attack.
@@spotandjake1008Are you really calling the ability for someone to completely bypass auth and execute javascript on someones browser a "small permission bug"? This is a monster vulnerability that gets people fired. It shows a complete lack of knowledge on API security.
@@spotandjake1008 I think I lean more with what OP commented. I took a mobile app development course in college last semester and we used Firestore, and even there the topic of proper access rules was considered. Yeah, defaults are not the best, but due dilligence means reading the documentation and studying the settings. Hell, if not auditing the app before a release at the very least maybe hiring someone for that role in particular. Proper hardening and QA on a company-developed browser really is the bare minimum. This is not giving me a good impression. It might be well performant or have an excellent UX for all I know. But this gives me the impression that there's a lack of oversight on basic queries from their end. It's not even a CVE.
There was some confusion (at least for me) around the 13:50 mark and I think this statement by arc could be helpful: "Unfortunately our Firebase ACLs (Access Control Lists, the way Firebase secures endpoints) were misconfigured, which allowed users Firebase requests to change the creatorID of a Boost after it had been created"
I loved Arc. I loved the workflow of it. However… there are a few problems. Big one is the problems mentioned in the video. The second problem is the user login requirement. The third problem, and the reason I stopped using it before I watched this video, is the chromium backend. Chromium is just not compatable with things that run of batteries. The energy use is just crazy. There is a noticeable difference in battery life when you use a chromium based browser. We are talking about hours in a day.
I tried arc a week ago and really liked it. I'm somehow not sure anymore but the zen browser looks quite good too. But as the browser is the most important software after the OS itself I may stick with the big ones as they are probably more secure.
This is an amazing learning moment for me. I’m using supabase to make my first proper complex app and the docs all say don’t rely on row level security alone, do auth checks too (in next js server actions in my case). I didn’t fully grasp why but have been doing it anyway. This appears to demonstrate exactly why?
They log your data (i.e. websites you visit) and sell it brokers most likely, this was also found by the person who found this exploit in the same report.
While the initial payout was more of an insult than anything, this is pretty much a masterclass in how a company can and should handle security incidents. No attempt to downplay, nearly instantly patch, and very publicly posted by the company themselves. Much respect to arc & browser company for how they handled this as a whole. So many companies fail to take security seriously.
@@ThatDJMat Their response is the bare minimum for a browser dev and doesn't excuse the fact that they didn't even have a bug bounty program originally, let alone the fact that they had such a careless bug in the first place. When your product is something incredibly security-critical like a web browser, practically the user's entire life is in your hands and you need to act like you understand the seriousness of that.
@@flamingspinach for starters, every program is going to have bugs. You can’t judge the fact a bug exists alone, once it was brought to their attention it was fixed immediately which is significantly better than many other products. The type of project doesn’t change the reality that we are all humans and make mistakes and oversights. As for the bug bounty, that can’t be a genuine complaint. The super majority of companies, even software companies, don’t. They also fixed that so the complaints was resolved when the community complained. Don’t judge a company for having a security incident, judge them by how they respond. For reference I work in Health IT software development where people’s lives are a lot more literally in my hands, you may be a bit overblowing how important a browser is.
does eva have a youtube or something? as awesome as your videos are, i wish i could get this sorta informative video straight from the source. Paying eva 2k is incredible, though if you continue to cover her stuff i hope you either continue to pay her or work out a revenue split
I don’t know about RUclips, but based on “her” aesthetics and pfp, I’m sure eve has a nice little girl wiener and probably a discord channel with copious amounts of cp.
One of the most basic rules for writing an API is not trusting user inputs. They should override the user ID provided by the user with the one from the credentials
I have been developing on Firebase for many years, but I always disable direct writes from clients, and only allow them to read. All mutations flow through API endpoints instead. It takes away the out-of-the-box optimistic updates, but retaining this kind of control makes me sleep better.
@@harrytowers1076 You can do that, a remote party can't. The issue here is that someone anywhere in the world can inject arbitrary JS into your browser.
No, bro. I've been using Zen for a while an it's not even close to Arc. It lack some Arc's killer features like "Peak". Also I ran Zen on a pretty old machine and it seemed to leak some memory. I returned to chromium after 3 weeks of using Zen and have no regrets. Hope Zen become a real thing eventually!
This is an example of an extremely poor use of firebase, since it doesn't even follow first thing in firebase docs (check if user is writing and reading for their id)
SaaS should be idiot proof, that's the whole reason to use it. If you get these security vulnerabilities by default and need to manually hunt all of them down that's just bad product design.
Well it’s cool that these things are being caught. No software is perfect when it comes out. Arcs focus was purely around the UX and I bet they’ll improve their internal implementation with champions like Eva
Please, BC, also fix the complementary security issue; allow us to use the browser without _requiring_ an account. If that hadn't been the case, if this breach had been exploited, I wouldn't have been affected to begin with. But great video, thanks - I take it as a text book example of one of the disadvantages of CRUD, which is what seems to be how the data mode.
Seems like a bad default on firebase side. They should have security by default not opt in security. But then it would be difficult to adopt for beginners since you have to do all these configurations just to use it which I think is worth it in the long run but is still a barrier to entry. It’s like a classic tug of war between engineering and marketing. You need both to be successful but it is most definitely a wrong call for this situation. If enough ppl stop using firebase they’ll be forced to change.
Firebase sounds even worse than GraphQL's mess with field level authorization. Once your data model gets large and complicated, it would be a nightmare to think about all the permutations of things that can and can't be updated, and the conditions for each.
I find it annoying that they don't push permission correctness harder in Firestore. This issue is trivial to prevent, but it only works if the dev knows how.
I'm using Opera GX for a few reason. 1. Firefox fired the best guy for total bs reason. I'll never use them again unless he comes back. 2. I would rather the Chinese watch my every move than the US gov. 3. I like GX and its chromium so it's pretty compatible.
@@iLiran nothing is ever one person’s/party’s fault, this is ultimately TBC’s fault but they weren’t set up for success by Firebase because their rules system is hard to get right
Sounds like a skill issue. Firestore can be configured like 'users/USERID/' with permissions set to give only the user access to anything under the USERID which is the simplest config. That said, even with one big collection for all users, per document permissions can be set, but you would need to do this for each collection with user specific content. The error seems on par with not sanitizing user generated content whether it be styles, code, sql, images, or whatever. Every byte coming from the browser is your enemy.
*ANY SOFTWARE* thats released first on APPLE as an exclusive is nothing but a cashgrab by greedy people. Thay may or may not do their due diligence in security, period. As computer engineer i cannot understand why a developer that does care about what they provide and the userbase would choose to release on apple first other than seeing it as a secure investment, again, financials directed at a platform full of *PRIVILEGED* people who have 2k to lose to begin with…
If they could just stop asking for emails to use a browser. Its such a issue. You want to increase your browser user count, but then block them for an email?
But it all boils down to having access to someone else's creator/user/whatever Id. Now, arguably, this could be accessed by a mitm or something else that can listen to a machine's calls. It is impressive but I was kinda expecting something a bit more explosive. Edit: I just reached the point of the video where you practically advertise your own user Id to the public. Amazing security concept, great success! Whoever thought of that should be awarded engineer of the year! That being said, good job on researching the browser and even better job to keep the white hat on. P.S. so people *really* use firebase huh? TIL.
People making arc browser are joke. This is insane mistake. Instead of relaying on stupid swift language, they should focus more on infra and even remove the login completely.
Kind of expected it sooner rather than later, Arc had just too much hype around it and when they initially launched the browser exclusively for Apple and deferred the Windows launch for later, that was kind of a red flag for me. Just my opinion.
It’s like they built their business model around both the good and the bad of apple. From what I hear closed ecosystem (in a browser!) is a thing in Arc and there are people using various complicated scripts just to export passwords and data
This would've been found out much earlier if Arc was open-source. And it wouldn't have happened in the first place if they hadn't used fucking _Firebase_ of all things.
Yeah but, what's the worst you could do? You need to know the creatorId of the person you want to hack. The boost is specific to one website, and that user would just need to randomly go to that one website. Now the kicker, surely you cannot just inject a tonne of malicious code into it. There has to be limitations of what a boost contains. As in, I really doubt you could put much in it. What is the creatorId? Like is it something predictable? For example, MongoDB Id's would be really difficult to predict. Some Id's would be easy, but you could be using something which has difficult Id's. Overall, it's not a big exploit. I doubt many people use this feature.
2000 for a bug of that magnitude is insane. google would've paid minimum 300K (loosley mathed based on their bug bounty program.) This bug is full remote code execution, authentication bypass, unrestricted database access, logic flaws etc. this was a business shutdown level bug. 2000 is more than insulting. It's borderline criminal. Worth noting as well, understanding how boosts work has made me realize just how insecure and illegal? this browser is. If using boosts tracks your website usage and is apparently publically readable and updatable that is a massive issue. How does ARC even exist?
Since recording this video, Browser Company has taken things VERY seriously. Quick list of things since:
- Browser Company has an official bug bounty board
- Eva found another exploit that was fixed and paid for
Wild ride.
I want a guide on how to build the cursor cat, Theo.
@@sherlockmaverick lol
😅😅😅😊😅😮
😅
@@sherlockmaverick it’s an open source library called neko-ts
don't use firebase is my suggestion. You can make browser, but can't make backend for proper authentication & authorization is kinda shame.
They didn't create the browser from scratch; they used Chromium as their base, so it's more like building on top of an another softwares.
@@BitWizCoderit's more like building just the UI.
@@ivan.jeremic they're doing something Flutter/Kotlin Multiplatform like, but with Swift. I don't know why exactly, because Zen Browser seems close in functionality and seems to rely on React or something?
@@BitWizCoderBuilding a browser on top of Chromium that’s so far off from stock chromium is still a massive thing. If you can do that, you should 100% be able to build a simple backend.
I think you don't see an elephant in the room... why the hell THE BROWSER mandates to create account just to use it??
I mean, I use Firefox and I have an account for sharing tabs across devices... But I only created it in 2022 voluntarily, when moved to mobile Firefox, and before that I just was using it without any account for almost a decade.
Just making sure I don't misunderstand...
Are we saying that Firebase's default config is nightmare fuel for security-conscious devs?
basically! the default in a custom-made rest api is no data is accessible. in firebase, the default is all data is accessible. in a rest api you write code to give users access to data. in firebase you write (an admittedly smaller amount of) code to disable user access to data
Yep.
yes but its not just this alone the last 10 years were a nightmare . Its really hard to summarize it , you have web dev who do things in browser which weren't meant to while browser stayed on JS and have no security domains, cloud also open some angles for attack . I recently learned about Microsoft Cloud for Infrastructure and what tools and how many custom protocols are used to remote control windows OS systems madness would not be enough to explain it. Its just not a feeling that the flying forces have increased in the past it was something 2 security alerts peer week on my favorite IT news site now it is on near daily interval often muilply a day.
@@zuma206 isn't the default for like 30 or 90 days to open everything and then it automatically closes everything (if you didn't set your own stuff)? Or is that new?
(I "recently" did that the first time and when I heard the news about Arc I was confused, because you can set all that up and ~isAuthorized and ~isSameID didn't seem so far fetched)
Just for people who do not understand how browser and http protocol works
I am ever so stunned with RUclipsrs talent to come up with the most clickbaity title! Thoroughly impressed! 🎉
I think I know the process now - it's basically half truth. The most unhinged sh*t that you can say - take it out of context and voila there you have it!
Loses credibility from the jump.
It's only not clickbait when you already know the story and know what the title is hinting.
@@DavidHust I agree. I don't watch Theo's videos because of the clickbait titles and thumbnails. I only watched the first 30 seconds of this video to see how he would spin the title into the story.
True this. This is the only time I will ever click on his channel
The thing that is really shocking to me is that they dont follow their own privacy policy by logging the websites you visit. This is a no go for me and I dont want to have this piece of spyware on my PC.
Very cool Theo to support Eva and do a great explainer of this issue. And HUGE PROPS TO EVA for the awesome work.
They collecting each website visit when they clearly say in their policy they don't. And no accountability on this major privacy issue? Just glance over?
The privacy issue seems arguable. From that query, they don't store the domain, unless they are logging it in firebase or Google fails at managing the privacy
Dang good Browserbase ad! I love that you just _showed_ what it does and that was the best sales pitch!
I have no idea why this got assigned a CVE. This is not a bug in Firebase, it’s a bug in Arc. It was bad developers not reading documentation correctly and not setting up the database structure correctly.
They could’ve easily set the database structure up so boosts were a sub collection on user database documents named with their uid and only allowed users who’s uid matched the users document name to read and write from that sub collection.
It’s simple. Rushed code = bad code. This sounds like a case of rushed database design, poor internal checking of the design and rushed execution
This ^
That cat is a nice touch I’ll add that to my website.
Make an option to disable it, I like to read while marking the text with my cursor. That cat would really annoy me…
@@t3lls thats what cats do.
Make it so when you click on it you give it food and leaves
I think people should be more interested in creating their own content. you don't have to have a cat like the one on her website just come up with your own creative things.
go find out how they did it and just learn from that.
@@brod515 I like cats 😊
There is no way I will give Arc another try especially because you can't use it without an account and they clearly don't care about user privacy at all. Maybe now they start to care about security but that shouldn't be an afterthought...
They need that to sell cloud 😅😂😂 at this point everyone is taxing everyone as much as possible just not to use their own computers. It is the whole premise of serverless, cloud, and other as service crap. The rot goes deep. They just cant allow one to save their damn scripts on local and move them manually if they want
Even governments this days don't use their own computers, who are you to afford to use yours, privately 😅
Dude that browser base demo. I almost never watch sponsored content but it was cool and almost not enough. Nice. I’ll be going to check them out. Immediate value prop
Not being a security engineer isn't an excuse for making mistakes like this either. It's part of the entire software dev lifecycle to include security
Arc is just an elaborate plot to demonstrate that it makes 0 sense to use a closed source browser.
2:05 "firebase was the cause".
No. This is not true. It's not a firebase specific issue. It's an arc developers skill issue - they did authn by user id, instead of authn by signed/verified token, in firebase security rules.
Firebase and cloud is generally a little unbased, but it's not the root cause.
It's literally arc devs made code which does authn by user id instead of a signed/verified token.
EDIT: Exchanged with theo on x, and actually it's probably not fair to say this isn't somewhat firebase specific issue, since the firebase docs do have unacceptable security rule examples where it includes rules which fail to include request.auth none checks which would even bypass request.auth.uid checks and that's a bit crazy and definitely going to increase the rate of security issues where skill or lapse in judgement occurs.
The official example in the Firebase docs is vulnerable to this exploit.
Three other websites have been found with the same exploit since. Eva has a long post about how common this particular config is.
If you don't see how firebase enables this specific type of issue you shouldn't be using firebase. And if you do see how firebase enables this specific type of issue then you also shouldn't be using firebase.
@@t3dotgg Then that's a Firebase _docs_ issue, not a Firebase _functionality_ issue. Postgres also has row-level security, but it's not on by default.
If what you're saying is that having row-level security be the *only* security mode is a bad feature, then I would agree with you, but the fact of the matter is that a properly configured Firebase store would not be subject to this exploit. The "cause" was the Arc devs' use of Firebase's less-than-ideal defaults, due to either ignorance or carelessness.
@@cobrasys ok but it's still a Firebase issue. Theo didn't specy what part of Firebase had an issue. They should teach users to use security features securely. Don't downplay it.
@@benargee They absolutely should teach their users how to use their product securely, no doubt about that, but saying it's _purely_ a Firebase issue is misleading. The product itself doesn't have a vuln or a flaw.
Let me put it another way: if a stapler manufacturing company doesn't put "don't staple your buttcheeks together" in the manual, when someone invariably does it, you wouldn't say it was a _stapler_ problem, would you?
15:48 "They're new to this, they have no idea what they're doing" Maybe they shouldn't just build a browser with half-assed features like this and put all of their users' data on the line. This is just plain amateur grade software development. If you'd push such an half-baked, insecure feature like this in a "normal", non-startup corporation, you'd immediately get fired for this. This level of unprofessionalism developing features with somewhat trivial exploits is just unacceptable for a product like this. There should be QA, there should be internal security testing before a feature like this even reaches its alpha stage.
That's extremely harsh small permissions bugs are found all the time in software. And browsers are extremely complex sure using chromium helps a lot but its still a massive surface area for attack.
@@spotandjake1008Are you really calling the ability for someone to completely bypass auth and execute javascript on someones browser a "small permission bug"? This is a monster vulnerability that gets people fired. It shows a complete lack of knowledge on API security.
@@spotandjake1008 I think I lean more with what OP commented. I took a mobile app development course in college last semester and we used Firestore, and even there the topic of proper access rules was considered. Yeah, defaults are not the best, but due dilligence means reading the documentation and studying the settings. Hell, if not auditing the app before a release at the very least maybe hiring someone for that role in particular.
Proper hardening and QA on a company-developed browser really is the bare minimum. This is not giving me a good impression. It might be well performant or have an excellent UX for all I know. But this gives me the impression that there's a lack of oversight on basic queries from their end. It's not even a CVE.
"Move fast break things" was never for the security conscious and was always for investors to get in and make a quick buck on "the new hotness."
@@Segphalt Hard agree.
Also, I think my previous comment got removed, but to reiterate, wow this was preventable.
There was some confusion (at least for me) around the 13:50 mark and I think this statement by arc could be helpful:
"Unfortunately our Firebase ACLs (Access Control Lists, the way Firebase secures endpoints) were misconfigured, which allowed users Firebase requests to change the creatorID of a Boost after it had been created"
I loved Arc. I loved the workflow of it. However… there are a few problems. Big one is the problems mentioned in the video. The second problem is the user login requirement. The third problem, and the reason I stopped using it before I watched this video, is the chromium backend. Chromium is just not compatable with things that run of batteries. The energy use is just crazy. There is a noticeable difference in battery life when you use a chromium based browser. We are talking about hours in a day.
I tried arc a week ago and really liked it. I'm somehow not sure anymore but the zen browser looks quite good too.
But as the browser is the most important software after the OS itself I may stick with the big ones as they are probably more secure.
It's always nice to see fellow programmers help each other when companies don't make it right! Love your videos btw
This is an amazing learning moment for me. I’m using supabase to make my first proper complex app and the docs all say don’t rely on row level security alone, do auth checks too (in next js server actions in my case). I didn’t fully grasp why but have been doing it anyway. This appears to demonstrate exactly why?
The Browser Company has no business model at all. I don't get it. And a bug this bad should get a company just plain shut down.
They log your data (i.e. websites you visit) and sell it brokers most likely, this was also found by the person who found this exploit in the same report.
@@hassan7569Bullshit
While the initial payout was more of an insult than anything, this is pretty much a masterclass in how a company can and should handle security incidents. No attempt to downplay, nearly instantly patch, and very publicly posted by the company themselves.
Much respect to arc & browser company for how they handled this as a whole. So many companies fail to take security seriously.
@@ThatDJMat Their response is the bare minimum for a browser dev and doesn't excuse the fact that they didn't even have a bug bounty program originally, let alone the fact that they had such a careless bug in the first place. When your product is something incredibly security-critical like a web browser, practically the user's entire life is in your hands and you need to act like you understand the seriousness of that.
@@flamingspinach for starters, every program is going to have bugs. You can’t judge the fact a bug exists alone, once it was brought to their attention it was fixed immediately which is significantly better than many other products.
The type of project doesn’t change the reality that we are all humans and make mistakes and oversights.
As for the bug bounty, that can’t be a genuine complaint. The super majority of companies, even software companies, don’t. They also fixed that so the complaints was resolved when the community complained.
Don’t judge a company for having a security incident, judge them by how they respond.
For reference I work in Health IT software development where people’s lives are a lot more literally in my hands, you may be a bit overblowing how important a browser is.
i really want to jump to zen browser after this
Yoo, It's slowly becoming my daily driver
Highly recommend. Been daily-ing it for a month+ now. No complaints.
I use it daily, it's amazing
I love it, few issues that need to be ironed out still
Zen is amazing especially on windows, Arc on windows is just not ready yet
does eva have a youtube or something? as awesome as your videos are, i wish i could get this sorta informative video straight from the source. Paying eva 2k is incredible, though if you continue to cover her stuff i hope you either continue to pay her or work out a revenue split
Actually, Eva ended up getting 20K from The Browser Company, which is much better
shes got a blog, its in her twitter bio
I don’t know about RUclips, but based on “her” aesthetics and pfp, I’m sure eve has a nice little girl wiener and probably a discord channel with copious amounts of cp.
2k is an extremely lowball bounty for a bug of this severity
@@flamingspinach but it wasn't even Theo's bug
5:27 Ublock origin is good not only for hiding annoying elements, but also for applying ustom CSS rules (using it's selector:style(color:red) syntax)
1:57 browserbase looks awesome. An ad I actually like!
Yeah that use case he showed looked sick
Am I crazy or does it seem kinda foolish to use these obscure browsers?
you are crazy to think it's foolish to use obscure browsers; Firefox, Tor, Librewolf, Zen, Vivaldi.
Turns out the 10x dev was right, they didn't need those investors.
These ads are so much better than the skits
One of the most basic rules for writing an API is not trusting user inputs. They should override the user ID provided by the user with the one from the credentials
best example why whitelisting wins over blacklisting. always expect the worst.
I have been developing on Firebase for many years, but I always disable direct writes from clients, and only allow them to read. All mutations flow through API endpoints instead. It takes away the out-of-the-box optimistic updates, but retaining this kind of control makes me sleep better.
A browser that can inject remotely JS and CSS in any website is a security nightmare even without the bug
Surely any browser can do that? You can run JS in any browser console and dev tools lets you change styles
@@harrytowers1076 You can do that, a remote party can't. The issue here is that someone anywhere in the world can inject arbitrary JS into your browser.
@@harrytowers1076 Remotely is the key word
@@harrytowers1076 that's not what XSS is. The problem is that another actor can inject js/css in your session. That's the problem
So do you have any browser plugins?
Zen >>> Arc
No, bro. I've been using Zen for a while an it's not even close to Arc. It lack some Arc's killer features like "Peak". Also I ran Zen on a pretty old machine and it seemed to leak some memory. I returned to chromium after 3 weeks of using Zen and have no regrets. Hope Zen become a real thing eventually!
Zen is in alpha and mostly developed by a solo dev, give it some time and it will be more stable and could quite possibly surpass arc in many aspects
@@wvovaw3052 "peak" so annoying gosh lee
zen still has the fucking firefox issue on mac where changing keyboard shortcuts don't work well.
@@wvovaw3052 Speaking of which, you might want to check it out again. The developer just added "glance" as well as custom gradients.
Thanks for suggesting Zen browser Theo👌
I can't with the kitty running around 😭
This is an example of an extremely poor use of firebase, since it doesn't even follow first thing in firebase docs (check if user is writing and reading for their id)
SaaS should be idiot proof, that's the whole reason to use it. If you get these security vulnerabilities by default and need to manually hunt all of them down that's just bad product design.
Well it’s cool that these things are being caught. No software is perfect when it comes out. Arcs focus was purely around the UX and I bet they’ll improve their internal implementation with champions like Eva
Thats amazing im happy they handled it well afterwards. Congrats on eva and just wow 😂
Eva's kitty is amazing little cuty :D Following your cursor :) So distracting! But so fun! It kinda resembles a little zergling, btw :)
the Browser Company blog entry on the subject is date September 20, that is before the incident. WTF.
They were made aware of it on Aug 25th
Negligent behavior from Arc.
I'm actually binging all your videos to get insights into the tech industry that I many years desired.
Please, BC, also fix the complementary security issue; allow us to use the browser without _requiring_ an account. If that hadn't been the case, if this breach had been exploited, I wouldn't have been affected to begin with.
But great video, thanks - I take it as a text book example of one of the disadvantages of CRUD, which is what seems to be how the data mode.
what are you using for drawing diagrams? look incredible, great content 🙏
Everyone screws up. How you handle that screw up is what really matters. Their response definitely earned respect from me.
Nice to see the return of Neko the Cat after all these years...
Seems like a bad default on firebase side. They should have security by default not opt in security. But then it would be difficult to adopt for beginners since you have to do all these configurations just to use it which I think is worth it in the long run but is still a barrier to entry.
It’s like a classic tug of war between engineering and marketing. You need both to be successful but it is most definitely a wrong call for this situation.
If enough ppl stop using firebase they’ll be forced to change.
Firebase sounds even worse than GraphQL's mess with field level authorization. Once your data model gets large and complicated, it would be a nightmare to think about all the permutations of things that can and can't be updated, and the conditions for each.
ARC is probably way too small for state actors to care. But after this, lol, who knows....
I find it annoying that they don't push permission correctness harder in Firestore. This issue is trivial to prevent, but it only works if the dev knows how.
Let's hope for Ladybird's success
Theo not talking about browsers challenge (IMPOSSIBLE)!
>bro uses meme browser and gets meme results
And this shit is why i never use anything other than firefox.
Let's gooo. Firefox gang
Librewolf or Mulvad browser. Based on Firefox. Unfortunately even Firefox has gotten in on the "let's spy on everyone" game with PPA in FF128
I'm using Opera GX for a few reason.
1. Firefox fired the best guy for total bs reason. I'll never use them again unless he comes back.
2. I would rather the Chinese watch my every move than the US gov.
3. I like GX and its chromium so it's pretty compatible.
@@Fooney1 howbout you use the browser from the original creator of Opera instead (vivaldi)
@@RenderingUser Never heard of it. I'll look into it.
Yeah, I'm not gonna use this shit. The fact this could happen in the first place makes me lose faith in the project.
Theo bluescreening several times when the cat starts moving
But is it really Firebase to blame for? To me, it seems like the developer fault (at least in this case).
@@iLiran nothing is ever one person’s/party’s fault, this is ultimately TBC’s fault but they weren’t set up for success by Firebase because their rules system is hard to get right
patiently waiting for Theo to zap the cat
oh no, arc no more! Hopefully you get through it!
Sounds like a skill issue. Firestore can be configured like 'users/USERID/' with permissions set to give only the user access to anything under the USERID which is the simplest config. That said, even with one big collection for all users, per document permissions can be set, but you would need to do this for each collection with user specific content. The error seems on par with not sanitizing user generated content whether it be styles, code, sql, images, or whatever. Every byte coming from the browser is your enemy.
*ANY SOFTWARE* thats released first on APPLE as an exclusive is nothing but a cashgrab by greedy people. Thay may or may not do their due diligence in security, period.
As computer engineer i cannot understand why a developer that does care about what they provide and the userbase would choose to release on apple first other than seeing it as a secure investment, again, financials directed at a platform full of *PRIVILEGED* people who have 2k to lose to begin with…
I went to the website for browserbase and still don't know what they offer, like what the use cases are
even the gui is hackable, allowing the browser to be reversed. Because I know...
Someone send her a cape, like for real what a superhero
does anyone know what the app is called for the cat following his mouse?
they should remove that account option
Very interesting video, but was the clickbait really necessary?
Simply put. They had bad firebase collection policy
Can you create a Boost to get rid of that damn cat?!? 😒
Screw the exploit, I wanna see their Firebase bill.
Going back to Edge. And deleting the required account.
If they could just stop asking for emails to use a browser. Its such a issue.
You want to increase your browser user count, but then block them for an email?
zen >>> plus its firefox so doesnt have to deal with the chrome manifest changes and runs on linux
My boy Linux is always left behind 😢. Automatically makes Zen better
@@NabekenProG87 there's even nix flakes for it while they're working on getting a proper nixpkg for it
The cat is awesome!
...we checked the logs... yeeeaaaahhhh, riiiiiiiight
What could they say instead if it were true to get people to believe them?
That's why I don't touch hyped browser with "flashy" new features
wow i want to thank all the beta testers out there
that what happens when you try to reinvent the wheel..
If it isn’t my arch nemesis Firebase. Too easy to make a security flaw and it’s never your fault
But it all boils down to having access to someone else's creator/user/whatever Id. Now, arguably, this could be accessed by a mitm or something else that can listen to a machine's calls. It is impressive but I was kinda expecting something a bit more explosive.
Edit: I just reached the point of the video where you practically advertise your own user Id to the public. Amazing security concept, great success! Whoever thought of that should be awarded engineer of the year!
That being said, good job on researching the browser and even better job to keep the white hat on.
P.S. so people *really* use firebase huh? TIL.
fancy looking browser. Looks like they hired good webdevs but no real backend infra engineers.
This, is real hacking. Salute to Eva!
People making arc browser are joke. This is insane mistake. Instead of relaying on stupid swift language, they should focus more on infra and even remove the login completely.
The cat following the cursor is so cute damn 🔥🔥🔥🔥
Torvalds: My kernel got hacked
Clown browser. Cool UI though.
This would not have been a problem with Ladybird.
Why would you ever use anything other than Firefox in the first place??
Kind of expected it sooner rather than later, Arc had just too much hype around it and when they initially launched the browser exclusively for Apple and deferred the Windows launch for later, that was kind of a red flag for me. Just my opinion.
It’s like they built their business model around both the good and the bad of apple. From what I hear closed ecosystem (in a browser!) is a thing in Arc and there are people using various complicated scripts just to export passwords and data
All they needed to do is store Arc boosts on your machine 😂
What a funny way to shart
This would've been found out much earlier if Arc was open-source. And it wouldn't have happened in the first place if they hadn't used fucking _Firebase_ of all things.
So you've been Arced and you've been Clerked
You’re telling me boosts are just user friendly, unsafe local overrides?
They were more responsible than CrowdStrike hahaha.
That moment when not open source.
I'll stick to Zen thanks
Yeah but, what's the worst you could do? You need to know the creatorId of the person you want to hack. The boost is specific to one website, and that user would just need to randomly go to that one website. Now the kicker, surely you cannot just inject a tonne of malicious code into it. There has to be limitations of what a boost contains. As in, I really doubt you could put much in it.
What is the creatorId? Like is it something predictable? For example, MongoDB Id's would be really difficult to predict. Some Id's would be easy, but you could be using something which has difficult Id's. Overall, it's not a big exploit. I doubt many people use this feature.
Love Arc and the Browser Company and they way they ultimately handled this, makes me love them even more
2000 for a bug of that magnitude is insane.
google would've paid minimum 300K (loosley mathed based on their bug bounty program.)
This bug is full remote code execution, authentication bypass, unrestricted database access, logic flaws etc.
this was a business shutdown level bug. 2000 is more than insulting. It's borderline criminal.
Worth noting as well, understanding how boosts work has made me realize just how insecure and illegal? this browser is.
If using boosts tracks your website usage and is apparently publically readable and updatable that is a massive issue.
How does ARC even exist?
arc can be good browser but right now there's miles better options
What ones would you recommend