top | item 41603670

(no title)

ha470 | 1 year ago

I’m Hursh, cofounder and CTO of The Browser Company (the company that makes Arc). Even though no users were affected and we patched it right away, the hypothetical depth of this vulnerability is unacceptable. We’ve written up some technical details and how we’ll improve in the future (including moving off Firebase and setting up a proper bug bounty program) here: https://arc.net/blog/CVE-2024-45489-incident-response.

I'm really sorry about this, both the vuln itself and the delayed comms around it, and really appreciate all the feedback here – everything from disappointment to outrage to encouragement. It holds us accountable to do better, and makes sure we prioritize this moving forward. Thank you so much.

discuss

ayhanfuat|1 year ago

Was the post written for HN users only? I cannot see it on your blog page (https://arc.net/blog). It’s not posted on your twitter either. Your whole handling seems to be responding only if there is enough noise about it.

sushid|1 year ago

Hursh, can you please respond to the above commenter? As an early adopter, I find it fairly troubling to see a company that touts transparency hide the blog post and only publicly "own up to it" within the confines of a single HN thread.

titaniumtown|1 year ago

Not a good look it not being on the main page! I personally use [zen browser](https://github.com/zen-browser/desktop); I like the ideas of Arc, but it always seemed sketchy to me, especially it being Chromium-based and closed-source.

unknown|1 year ago

[deleted]

tomjakubowski|1 year ago

Hi Hursh, I'm Tom. A couple friends use Arc and they like it, so I had considered switching to it myself. Now, I won't, not really because of this vulnerability itself (startups make mistakes), but because you paid a measly $2k bounty for a bug that owns, in a dangerous way, all of your users. I won't use a browser made by a vendor who takes the security of their users this unseriously.

By the way, I don't know for sure, but given the severity I suspect on the black market this bug would have gone for a _lot_ more than $2k.

poincaredisk|1 year ago

Selling vulnerability on the black market is immoral and may be illegal. The goal of bug bounty programs was initially to signal "we won't sue white hat researchers who disclose their findings to us", when did it evolve into "pay me more than criminals would, or else"?

JumpCrisscross|1 year ago

> because you paid a measly $2k bounty for a bug that owns, in a dangerous way, all of your users

The case is redeemable. It may still be an opportunity if handled deftly. But it would require an almost theatrical display of generosity to the white hat (together, likely, with a re-constituting of the engineering team).

ljm|1 year ago

You have no idea but you suspect someone could have made more?

tengbretson|1 year ago

So you're not going to use Arc. How much do you pay for the browser you do use?

keepamovin|1 year ago

Should have at least paid €1 per user. Eh, maybe that’s what they did?

rachofsunshine|1 year ago

Comments further down are concerned that on each page load, you're sending both the URL and a(n identifiable?) user ID to TBC. You may want to comment on that, since I think it's reasonable to say that those of us using not-Chrome (I don't use Arc personally, but I'm definitely in the 1% of browser users) are likely to also be the sort of person concerned with privacy. Vulnerabilities happen, but sending browsing data seems like a deliberate design choice.

mthoms|1 year ago

I think that is addressed in the post. Apparently the URL was only sent under certain conditions and has since been addressed:

>We’ve fixed the issues with leaking your current website on navigation while you had the Boost editor open. We don’t log these requests anywhere, and if you didn’t have the Boosts editor open these requests were not made. Regardless this is against our privacy policy and should have never been in the product to begin with.

Given the context (boosts need to know the URL they apply to after all) this indeed was a "deliberate design choice" but not in the manner you appear to be suggesting. It's still very worrisome, I agree.

tyho|1 year ago

There isn't really anything you can do to convince me that your team has the expertise to maintain a browser after this. It doesn't matter that you have fixed it, your team is clearly not capable of writing a secure browser, now or ever.

I think this should be a resigning matter for the CTO.

avarun|1 year ago

And what, you’re going to find them a new CTO? What kind of magical world do you live in where problems are solved by leaders resigning, instead of stepping up and taking accountability?

pembrook|1 year ago

Surprise surprise, turns out it takes a looong time for every software startup to finally strip out all the hacky stuff from their MVP days. Apparently nobody on this startup community forum has ever built a startup before.

Pro tip: if stuff like this violently upsets you, never be an early adopter of anything. Wait 5-10 years and then make your move.

Personally, I expect stuff like this from challenger alternatives, this is the way it should be. There is no such thing as a new, bug-free software product. Software gets good by gaining adoption and going through battle testing, it’s never the other way around like some big company worker would imagine.

Insanity|1 year ago

Well, the current team perhaps.

But it's also likely part of the startup mentally of "move fast and break things", which is not entirely compatible with the goal of the browser.

bloopernova|1 year ago

Will you be increasing the bug bounty payout? $2,000 is a tiny fraction of what this bug is worth, I hope you will pay the discoverer a proper bounty.

You've been handed a golden opportunity to set the right course.

JumpCrisscross|1 year ago

> $2,000 is a tiny fraction of what this bug is worth

The Browser Company raises $50mm at a $550mm post-money valuation in March [1]. They’ve raised $125mm altogether.

Unless they’re absolute asshats, they’ll increase the bug payout. But people act truly when they don’t think they’re being watched—a vulnerability of this magnitude was worth $2k to this company. That’s…eyebrow raising.

[1] https://techcrunch.com/2024/03/21/the-browser-company-raises...

rattray|1 year ago

Hursh responded elsewhere on the thread:

https://news.ycombinator.com/item?id=41606219

Laaas|1 year ago

Any new vulnerability will be sold to the highest bidder and/or exploited instead of being reported for the bug bounty because of this.

unknown|1 year ago

[deleted]

qwertox|1 year ago

> including moving off Firebase

Firebase is not to blame here. It's a solid technology which just has to be used properly. Google highlights the fact that setting up ACLs is critical and provides examples on how to set them up correctly.

If none of the developers who were integrating the product into Arc bothered about dealing with the ACLs, then they are either noobs or simply didn't care about security.

com2kid|1 year ago

Saying Google provides examples of being rather nice about it.

Firebase ACLs are a constant source of vulnerabilities largely because they are confusing and don't have enough documentation around them.

tanx16|1 year ago

> We’re also bolstering our security team, and have hired a new senior security engineer.

Is there a reason why you don’t have any security-specific positions open on your careers site?

ha470|1 year ago

We did but we closed the roles by hiring folks. They just haven’t joined yet.

zo1|1 year ago

Until this individual comes back and responds to at least a few of the questions/comments, I don't think we should even pay attention to this marketing-dept-written post. They basically want this to go away, and answering any questions would raise more issues most likely, so they just seemed to have done the bare minimum and left it at that. It's 3 hours later now, they might as well have not even posted anything here.

exdsq|1 year ago

$2000 is an absurdly small bounty here - you should up that

radicaldreamer|1 year ago

50k or 100k would be far more appropriate given the severity of this issue. But overall, this makes me think there's probably a lot more vulnerabilities in Arc that are undiscovered/unpatched.

Also, there's the whole notion of every URL you visit being sent to Firebase -- were these logged? Awful for a browser.

ha470|1 year ago

Ya this is fair! Honestly this was our first bounty ever awarded and we could have been more thoughtful. We’re currently setting up a proper program and based on that rubric will adjust accordingly.

FleetAdmiralJa|1 year ago

I think the bigger question is: Why are you violating your own security policy by keeping track on what we browse. I though my browsing is private and hidden away from you but if you store my browsing data in your firebase this is not acceptable at all.

liendolucas|1 year ago

> "...the hypothetical depth of this vulnerability is unacceptable."

What is also unacceptable is to pay 2000 dollars for something like this AND have to create user accounts to use your browser. Will definitely stay away from it.

_kidlike|1 year ago

no mention of the pitiful bounty reward (2000 usd). only sorry and thanks. Please award this person a proper bounty.

__turbobrew__|1 year ago

Are you going to address the part where you send visited websites to Firebase which goes against your privacy policy of not tracking visited URLs?

NegativeLatency|1 year ago

Only $2k for an exploit like this?

markandrewj|1 year ago

I would like to respectfully provide the suggestion of allowing for the use of Arc without being signed into an account. Although I understand browser/device sync is part of most modern browsers, and the value it provides, normally it is a choice to use this feature. Arc still provides a lot of attractive features, even without browser sync on.

benreesman|1 year ago

I like Arc, and I don’t want to pile on: God knows I’ve written vulnerable code.

To explore a constructive angle both for the industry generally and the Browser Company specifically: hire this clever hacker who pwned your shit in a well-remunerated and high-profile way.

The Browser Company is trying to break tradition with a lot of obsolete Web norms, how about paying bullshit bounties under pressure rather than posting the underground experts to guard the henhouse.

If the Browser Company started a small but aggressive internal red team on the biohazard that is the modern web?

I’ll learn some new keyboard shortcuts and I bet a lot of people will.

nixosbestos|1 year ago

So when there are near weekly reports of websites being compromised due to horrid Firebase configuration, did absolutely no one on your teams raise a red flag? Is there some super low-pri ticket that says "actually make sure we use ACLs on Firebase"?

kernal|1 year ago

>Arc brought order to the chaos that was my online life. There’s no going back.

Bringing the chaos back like it's 1999.

msephton|1 year ago

I misread your name as Hush which is kind of fitting considering how you're trying to make this go away

metadat|1 year ago

Hursh / ha470, where did you go? There are lots of good questions in the replies to your thread, yet you went dark immediately after posting more than 8 hours ago. It's hard to imagine what could be more pressing than addressing people's concerns after a major security incident such as this.

To be honest, I'm a bit disappointed. For future reference, this doesn't seem like a good strategy to contain reputational damage.

FactKnower69|1 year ago

remember when reading this that this guy's company is valued at a billion dollars and his comp is 10x yours if not more. we live in a meritocracy

ycombinatrix|1 year ago

ngl this is pretty pathetic. the massive security hole is one thing but you're just gonna gloss over violating your own privacy policy?

exabrial|1 year ago

Bro you should be requiring accounts to download HTML. Come on man.

mirzap|1 year ago

Pay the guy properly. $2000 is an insult. It should be $50k. This kind of bug could be sold for 100-200k easily.

JumpCrisscross|1 year ago

> This kind of bug could be sold for 100-200k easily

Maybe not. If the browser is that buggy, there may be plenty of these lying around. The company itself is pricing the vulnerability at $2k. That should speak volumes to their internal view of their product.

unknown|1 year ago

[deleted]

unknown|1 year ago

[deleted]

bobmcnamara|1 year ago

[deleted]

ibash|1 year ago

Thanks for the response.

While people might nitpick on how things were handled, the fact that you checked if anyone was affected and fixed it promptly is a good thing.

ziddoap|1 year ago

It is not really nitpicking, given the severity.

Being prompt on a vulnerability of this magnitude should be considered "meeting the standard" at best.

metadat|1 year ago

The CTO and co-founder didn't check in on any of the concerns, completely disappeared after leaving a heartfelt comment. This comes off as incredibly disingenuous.