How an incredibly amateur mistake left Arc Browser wide open to hackers

Fireship

5 Oct 202404:56

Summary

TLDRThe video discusses a significant security vulnerability in the Arc browser, which allowed attackers to execute malicious JavaScript and CSS without users visiting a malicious site. The root cause was misconfigured security rules in Google's Firebase, used by Arc to store user data. This error allowed user IDs to be altered, creating major security risks. Though the issue was quickly patched without exploitation, the video highlights the importance of strong security practices when dealing with executable code. It also introduces Clerk, a secure user authentication platform as an alternative to Firebase.

Takeaways

😱 Arc Web Browser experienced a catastrophic vulnerability, allowing hackers to execute CSS and JavaScript on any website without user interaction.
🔐 The exploit was similar to cross-site scripting, enabling attackers to steal passwords, track browser history, and manipulate content.
👨‍💻 The vulnerability was discovered by a researcher named XYZ 3va, who responsibly reported the issue to the Arc team.
🚨 The root cause was a misconfiguration in security rules on Firebase, which stored user-created Boosts (custom CSS and JavaScript) across devices.
⚡ Arc quickly patched the vulnerability, and fortunately, no users were exploited by the attack.
🌐 Arc Browser allows users to create and share custom Boosts for websites, but the vulnerability arose because users could change the creator ID of these Boosts.
🔥 The security researcher found that a user could assign their Boost to another user's ID, enabling malicious scripts to run on other users' accounts.
🚧 The issue stemmed from the ability to modify creator IDs without proper verification, which could have been prevented with stricter Firestore security rules.
😬 Arc's decision to stop using Firebase after the incident appeared to be an attempt to deflect some blame, though Firebase itself was not inherently at fault.
👨‍🏫 The video emphasized the importance of testing security logic thoroughly, especially when dealing with executable code.

Q & A

What was the nature of the vulnerability in the Arc web browser?
-The Arc web browser had a vulnerability that allowed hackers to gain 'God mode' access, executing CSS and JavaScript on any website without the user visiting a malicious site. This cross-site scripting exploit could allow attackers to log passwords, track browsing history, and even insert fake news into websites.
How was the Arc vulnerability discovered, and was anyone affected?
-The vulnerability was discovered by a security researcher named XYZ 3va, who reported it to the Arc team. Thankfully, no one was exploited, and Arc patched the issue the next day.
Why is the vulnerability particularly surprising given Arc's foundation?
-The vulnerability is surprising because Arc is based on the highly secure Chromium browser engine, which is known for its security. The root cause was traced back to misconfigured security rules, specifically in Arc's Firebase backend.
What is the 'Boost' feature in the Arc browser?
-Boost is a feature in the Arc browser that allows users to customize any website with their own CSS and JavaScript. Users can modify the design of websites they dislike and even share those adjustments with others, though sharing custom JavaScript is not allowed due to potential security risks.
How does Arc store data for the 'Boost' feature, and where did the security issue occur?
-Arc stores Boost data in Google Firebase's Firestore database, using a user ID to link custom data to the correct user. The security issue arose when the system allowed users to change the creator ID of a boost, potentially letting them execute harmful JavaScript on other users' pages.
Why was allowing users to change the creator ID in Firestore such a critical failure?
-Allowing users to change the creator ID was a massive security oversight because it gave users the ability to assign executable code to another user's account, making it easy for attackers to inject malicious scripts. This is especially problematic since the boost data contains executable JavaScript.
What could have prevented this vulnerability in Arc?
-The vulnerability could have been prevented by applying stricter Firestore security rules that disallow changes to the creator ID unless the authenticated user matches the creator. This would ensure that only authorized users can modify their own Boost data.
Why did Arc's use of Firebase contribute to the vulnerability, and who is ultimately responsible?
-While Firebase was used to store user data, the vulnerability was due to misconfigured security rules on Arc's part, not Firebase's platform itself. The blame falls on Arc for not properly securing its backend, though some users may criticize Firebase for its ease of use potentially leading to security lapses.
What actions did Arc take after the vulnerability was discovered?
-Arc took immediate action after the vulnerability was reported, fixing the issue the next day. The company has since decided to stop using Firebase, likely to distance itself from the incident, though Firebase was not at fault.
What does the vulnerability teach about security in web development?
-This incident highlights the importance of thoroughly testing and bulletproofing security logic, especially when handling sensitive data or executable code. It emphasizes that even platforms with easy-to-implement security features, like Firebase, require proper configuration and diligence.