My browser got hacked and it cost me $2,000
HTML-код
- Опубликовано: 27 сен 2024
- Thank you BrowserBase for the support, check them out at browserbase.com
Arc getting hacked is terrifying. Firebase being responsible is even moreso.
SOURCES
kibty.town/blo...
arc.net/blog/C...
x.com/xyz3va/s...
Check out my Twitch, Twitter, Discord more at t3.gg
S/O Ph4seOn3 for the awesome edit 🙏
Since recording this video, Browser Company has taken things VERY seriously. Quick list of things since:
- Browser Company has an official bug bounty board
- Eva found another exploit that was fixed and paid for
Wild ride.
I want a guide on how to build the cursor cat, Theo.
@@sherlockmaverick lol
😅😅😅😊😅😮
😅
don't use firebase is my suggestion. You can make browser, but can't make backend for proper authentication & authorization is kinda shame.
They didn't create the browser from scratch; they used Chromium as their base, so it's more like building on top of an another softwares.
@@BitWizCoderit's more like building just the UI.
@@ivan.jeremic they're doing something Flutter/Kotlin Multiplatform like, but with Swift. I don't know why exactly, because Zen Browser seems close in functionality and seems to rely on React or something?
@@BitWizCoderBuilding a browser on top of Chromium that’s so far off from stock chromium is still a massive thing. If you can do that, you should 100% be able to build a simple backend.
I think you don't see an elephant in the room... why the hell THE BROWSER mandates to create account just to use it??
I mean, I use Firefox and I have an account for sharing tabs across devices... But I only created it in 2022 voluntarily, when moved to mobile Firefox, and before that I just was using it without any account for almost a decade.
does eva have a youtube or something? as awesome as your videos are, i wish i could get this sorta informative video straight from the source. Paying eva 2k is incredible, though if you continue to cover her stuff i hope you either continue to pay her or work out a revenue split
Actually, Eva ended up getting 20K from The Browser Company, which is much better
shes got a blog, its in her twitter bio
I don’t know about RUclips, but based on “her” aesthetics and pfp, I’m sure eve has a nice little girl wiener and probably a discord channel with copious amounts of cp.
Just making sure I don't misunderstand...
Are we saying that Firebase's default config is nightmare fuel for security-conscious devs?
basically! the default in a custom-made rest api is no data is accessible. in firebase, the default is all data is accessible. in a rest api you write code to give users access to data. in firebase you write (an admittedly smaller amount of) code to disable user access to data
Yep.
yes but its not just this alone the last 10 years were a nightmare . Its really hard to summarize it , you have web dev who do things in browser which weren't meant to while browser stayed on JS and have no security domains, cloud also open some angles for attack . I recently learned about Microsoft Cloud for Infrastructure and what tools and how many custom protocols are used to remote control windows OS systems madness would. Its just not a feeling that the flying forces have increased in the past it was something 2 security alerts peer week on my favorite IT news site now it is on near daily interval often muilply a day.
@@zuma206 isn't the default for like 30 or 90 days to open everything and then it automatically closes everything (if you didn't set your own stuff)? Or is that new?
(I "recently" did that the first time and when I heard the news about Arc I was confused, because you can set all that up and ~isAuthorized and ~isSameID didn't seem so far fetched)
Just for people who do not understand how browser and http protocol works
They collecting each website visit when they clearly say in their policy they don't. And no accountability on this major privacy issue? Just glance over?
That cat is a nice touch I’ll add that to my website.
Make an option to disable it, I like to read while marking the text with my cursor. That cat would really annoy me…
@@t3lls thats what cats do.
Make it so when you click on it you give it food and leaves
I think people should be more interested in creating their own content. you don't have to have a cat like the one on her website just come up with your own creative things.
go find out how they did it and just learn from that.
@@brod515 I like cats 😊
15:48 "They're new to this, they have no idea what they're doing" Maybe they shouldn't just build a browser with half-assed features like this and put all of their users' data on the line. This is just plain amateur grade software development. If you'd push such an half-baked, insecure feature like this in a "normal", non-startup corporation, you'd immediately get fired for this. This level of unprofessionalism developing features with somewhat trivial exploits is just unacceptable for a product like this. There should be QA, there should be internal security testing before a feature like this even reaches its alpha stage.
i really want to jump to zen browser after this
Yoo, It's slowly becoming my daily driver
Highly recommend. Been daily-ing it for a month+ now. No complaints.
I use it daily, it's amazing
I love it, few issues that need to be ironed out still
Zen is amazing especially on windows, Arc on windows is just not ready yet
Zen >>> Arc
No, bro. I've been using Zen for a while an it's not even close to Arc. It lack some Arc's killer features like "Peak". Also I ran Zen on a pretty old machine and it seemed to leak some memory. I returned to chromium after 3 weeks of using Zen and have no regrets. Hope Zen become a real thing eventually!
Zen is in alpha and mostly developed by a solo dev, give it some time and it will be more stable and could quite possibly surpass arc in many aspects
Turns out the 10x dev was right, they didn't need those investors.
The thing that is really shocking to me is that they dont follow their own privacy policy by logging the websites you visit. This is a no go for me and I dont want to have this piece of spyware on my PC.
I just can’t understand how can someone use a closed source browser. And the one which needs to be logged in.
Man if thats not a confirmation for “they are f***ing taking your all data” i just don’t know what can be 😂
It’s easy to check what telemetry they collect, but I definitely won’t do that, I’m good enough with Edge and Tor/Mullvad on the side when I need it
wait you cant use arc without logging in? i use linux so i cant test it
Is there another way to sync data between devices? What data do you think they are about enough to "take"?
This is an example of an extremely poor use of firebase, since it doesn't even follow first thing in firebase docs (check if user is writing and reading for their id)
SaaS should be idiot proof, that's the whole reason to use it. If you get these security vulnerabilities by default and need to manually hunt all of them down that's just bad product design.
2:05 "firebase was the cause".
No. This is not true. It's not a firebase specific issue. It's an arc developers skill issue - they did authn by user id, instead of authn by signed/verified token, in firebase security rules.
Firebase and cloud is generally a little unbased, but it's not the root cause.
It's literally arc devs made code which does authn by user id instead of a signed/verified token.
EDIT: Exchanged with theo on x, and actually it's probably not fair to say this isn't somewhat firebase specific issue, since the firebase docs do have unacceptable security rule examples where it includes rules which fail to include request.auth none checks which would even bypass request.auth.uid checks and that's a bit crazy and definitely going to increase the rate of security issues where skill or lapse in judgement occurs.
The official example in the Firebase docs is vulnerable to this exploit.
Three other websites have been found with the same exploit since. Eva has a long post about how common this particular config is.
If you don't see how firebase enables this specific type of issue you shouldn't be using firebase. And if you do see how firebase enables this specific type of issue then you also shouldn't be using firebase.
@@t3dotgg Then that's a Firebase _docs_ issue, not a Firebase _functionality_ issue. Postgres also has row-level security, but it's not on by default.
If what you're saying is that having row-level security be the *only* security mode is a bad feature, then I would agree with you, but the fact of the matter is that a properly configured Firebase store would not be subject to this exploit. The "cause" was the Arc devs' use of Firebase's less-than-ideal defaults, due to either ignorance or carelessness.
@@cobrasys ok but it's still a Firebase issue. Theo didn't specy what part of Firebase had an issue. They should teach users to use security features securely. Don't downplay it.
@@benargee They absolutely should teach their users how to use their product securely, no doubt about that, but saying it's _purely_ a Firebase issue is misleading. The product itself doesn't have a vuln or a flaw.
Let me put it another way: if a stapler manufacturing company doesn't put "don't staple your buttcheeks together" in the manual, when someone invariably does it, you wouldn't say it was a _stapler_ problem, would you?
I am ever so stunned with RUclipsrs talent to come up with the most clickbaity title! Thoroughly impressed! 🎉
I think I know the process now - it's basically half truth. The most unhinged sh*t that you can say - take it out of context and voila there you have it!
Loses credibility from the jump.
zen >>> plus its firefox so doesnt have to deal with the chrome manifest changes and runs on linux
My boy Linux is always left behind 😢. Automatically makes Zen better
@@NabekenProG87 there's even nix flakes for it while they're working on getting a proper nixpkg for it
A browser that can inject remotely JS and CSS in any website is a security nightmare even without the bug
I loved Arc. I loved the workflow of it. However… there are a few problems. Big one is the problems mentioned in the video. The second problem is the user login requirement. The third problem, and the reason I stopped using it before I watched this video, is the chromium backend. Chromium is just not compatable with things that run of batteries. The energy use is just crazy. There is a noticeable difference in battery life when you use a chromium based browser. We are talking about hours in a day.
There is no way I will give Arc another try especially because you can't use it without an account and they clearly don't care about user privacy at all. Maybe now they start to care about security but that shouldn't be an afterthought...
But is it really Firebase to blame for? To me, it seems like the developer fault (at least in this case).
Can you create a Boost to get rid of that damn cat?!? 😒
These ads are so much better than the skits
patiently waiting for Theo to zap the cat
>bro uses meme browser and gets meme results
And this shit is why i never use anything other than firefox.
Let's gooo. Firefox gang
You’re telling me boosts are just user friendly, unsafe local overrides?
I tried arc a week ago and really liked it. I'm somehow not sure anymore but the zen browser looks quite good too.
But as the browser is the most important software after the OS itself I may stick with the big ones as they are probably more secure.
Man see cat following the mouse, man laughs, man like!
Im sold already, where can i get it?
Screw the exploit, I wanna see their Firebase bill.
Nice to see the return of Neko the Cat after all these years...
I can't with the kitty running around 😭
...we checked the logs... yeeeaaaahhhh, riiiiiiiight
What could they say instead if it were true to get people to believe them?
oh no, arc no more! Hopefully you get through it!
change the title to 20k!
Theo didn't pay 20k though, he paid 2k... Don't make it more clickbaity then it already is
How did u add the kitty
eva's blog has that
That moment when not open source.
I'll stick to Zen thanks
that what happens when you try to reinvent the wheel..
hmm isnt this how Supabase works as well?
yep, though at least supabase provides more than just a firebase clone, whereas firebase only provides firebase
@@zuma206 lol good one… well time to check the policies just in case I guess !
Nope, in case if other "inexperience" devs were wondering the same thing.
Supabase at the end is PostgreSQL. Hence, the part you feel familiar with is a combination of "row level security (RLS)" + "anonymous user right".
Afaik, RLS by default is on with empty. That means unless you make an exception rule, anonymous has no right to do anything.
You can still go the traditional route to have your own server and api with private key to handle all the user request, that will bypass the RLS.
The anonymous key thing is just something allows you to skip the server, directly access the DB from client, but you move all the "heavy lifting (auth check, etc)" to database level. If you are doing something simple like read-only, maybe it's fine. And it could be insanely fast as you skip the server layer. But whenever thing becomes complex, it's likely a trap and can cause security issue, because it's just more hard to handle all the thing via sql statement and DB level privilege controls, comparing to programming languages and server.
Where the Firebase default seems like opposite to RLS, you have all rights to do anything unless you make rule to against it. That's a security nightmare to handle.
Hence the problem here for Arc team is that their engineers is naïve enough to decide offload all the things into DB privilege controls rather than having a server in front and do the heavy lifting. Ideally, they should have both! Server as one layer of protection and DB level (which they currently using) as the final level of protection.
5:27 Ublock origin is good not only for hiding annoying elements, but also for applying ustom CSS rules (using it's selector:style(color:red) syntax)
I imagine they’re not using IndexedDB because of a cloud sync or something?
They were more responsible than CrowdStrike hahaha.
I'm bored of Arc's sidebar tabs taking up 15% of the screen realestate on my 13 inch display. Paitently watring for Zen browser to become stable enough to use
it is technically already fine and less jank than using firefox's vertical bar css (which is what im kind of doing on my laptop, while on my main machine I use zen)
You can get the same experience in base Firefox with extensions. Zen it's just a pretty coat of paint that might cost you 2k one day 😉
@@opposite342 Yeah nice. Maybe I should update and try it out again
I've been using it on my Linux laptop and Windows desktop since Theo dropped the video about it. The only real issues I've encountered has been 1 crash and the theme store going offline for a bit, so all things considered it's very usable. Also, the compact mode is a fucking blessing for smaller displays once you learn the shortcuts.
Seems like a bad default on firebase side. They should have security by default not opt in security. But then it would be difficult to adopt for beginners since you have to do all these configurations just to use it which I think is worth it in the long run but is still a barrier to entry.
It’s like a classic tug of war between engineering and marketing. You need both to be successful but it is most definitely a wrong call for this situation.
If enough ppl stop using firebase they’ll be forced to change.
The Browser Company has no business model at all. I don't get it. And a bug this bad should get a company just plain shut down.
ARC is probably way too small for state actors to care. But after this, lol, who knows....
Dang good Browserbase ad! I love that you just _showed_ what it does and that was the best sales pitch!
Yeah, I'm not gonna use this shit. The fact this could happen in the first place makes me lose faith in the project.
Am I crazy or does it seem kinda foolish to use these obscure browsers?
It's always nice to see fellow programmers help each other when companies don't make it right! Love your videos btw
Theo not talking about browsers challenge (IMPOSSIBLE)!
The cat following the cursor is so cute damn 🔥🔥🔥🔥
The cat is awesome!
Clown browser. Cool UI though.
If it isn’t my arch nemesis Firebase. Too easy to make a security flaw and it’s never your fault
So you've been Arced and you've been Clerked
But it all boils down to having access to someone else's creator/user/whatever Id. Now, arguably, this could be accessed by a mitm or something else that can listen to a machine's calls. It is impressive but I was kinda expecting something a bit more explosive.
Edit: I just reached the point of the video where you practically advertise your own user Id to the public. Amazing security concept, great success! Whoever thought of that should be awarded engineer of the year!
That being said, good job on researching the browser and even better job to keep the white hat on.
P.S. so people *really* use firebase huh? TIL.
Very interesting video, but was the clickbait really necessary?
they should remove that account option
I have been developing on Firebase for many years, but I always disable direct writes from clients, and only allow them to read. All mutations flow through API endpoints instead. It takes away the out-of-the-box optimistic updates, but retaining this kind of control makes me sleep better.
That's why I don't touch hyped browser with "flashy" new features
This would not have been a problem with Ladybird.
Well it’s cool that these things are being caught. No software is perfect when it comes out. Arcs focus was purely around the UX and I bet they’ll improve their internal implementation with champions like Eva
A like for you, for matching the initial payout
arc is fucking horrible lol i just could never translate to it
If they could just stop asking for emails to use a browser. Its such a issue.
You want to increase your browser user count, but then block them for an email?
I'm actually binging all your videos to get insights into the tech industry that I many years desired.
Thats amazing im happy they handled it well afterwards. Congrats on eva and just wow 😂
WHERES THE SKIT THEO IM ONLY HERE FOR YOUR ACTING SKILLS
hmm yeah i think im going to stick to firefox XD
Torvalds: My kernel got hacked
wow maybe i should change my browser
This seems like a `${whatEver}base` issue.
Firebase is real infra 🗣️
Just use chrome👍
And we ❤️ Eva
OMG, that cat!
Common Arc L
🎉 first
好き eva 😍
nice
hi
e
the Browser Company blog entry on the subject is date September 20, that is before the incident. WTF.
They were made aware of it on Aug 25th
Kind of expected it sooner rather than later, Arc had just too much hype around it and when they initially launched the browser exclusively for Apple and deferred the Windows launch for later, that was kind of a red flag for me. Just my opinion.
It’s like they built their business model around both the good and the bad of apple. From what I hear closed ecosystem (in a browser!) is a thing in Arc and there are people using various complicated scripts just to export passwords and data
Vivaldi > everything.
Just my opinion of course, but I'm yet to see a feature in a browser I want or think is cool that Vivaldi cannot do.
Vivaldi is closed source though, firefox ftw. open source and big-tech free
Vivaldi was too slow for me, Zen so far is a great alternative
Nice blog post, but it would be much easier to read, if eva would learn to use uppercase characters...
I'm a bit thick so can someone confirm I understood correctly. It went like this right?
1. Create your own Boost (like a tampermonkey script), to do whatever you want.
2. Update the creator ID field to that of a different user.
3. That boost has now been 'transferred' to that other user and will run whatever you set it up to do
is that it? If so that seems like a major dumb dumb like how do you miss something like that haha
10:43 You'll notice you just wrote an SQL injection. The appeal of letting your database service handle it for you is that I can just configure the service correctly, hopefully more easily than code, and automatically eliminate chances of my own errors breaking security. …This of course becomes a moot point when the configuration becomes just as complex as the code would've been and there's broken defaults and footguns everywhere.
Query parameters aren't that hard to use.
No, he did not write an SQL injection.
It is worth to go back and watch the video again from 9:15 to 9:55 and see how careful and security aware he is.
You will then notice that he specifically wrote a super pseudo / non-SQL example and clearly stated that you would want to validate / sanitize the new username also.
In my world, the cloud is not allowed.
1 view in 31 seconds?? bro fell off
a browser shouldnt even need an account
Love Arc and the Browser Company and they way they ultimately handled this, makes me love them even more
Yeah, yeah, terrifying browser exploit, who cares? Look at the little kitty!