My Browser Got Hacked

What is Arc Browser and Why is it Popular?

Arc Browser is a new and innovative browser that has quickly gained popularity among users. Unlike traditional browsers, Arc is based on Chrome but incorporates a unique workflow and numerous advanced features. This browser offers an entirely different browsing experience that can be tailored to individual preferences.

One of the notable features of Arc is its Easels, which function as a whiteboard-like interface. Users can easily share their Easels, making it useful for dynamic and collaborative activities. Additionally, Arc implements Arc Boosts, a tool that lets users customize websites by blocking elements, changing fonts and colors, and even injecting custom CSS and JavaScript.

Another reason for its popularity is the requirement of an account to use the browser. This allows for cloud synchronization of settings and preferences, providing a seamless experience across devices.

Arc also stands out for its performance and the many features built on top of its Chrome base. Despite some security flaws, the team is proactive in addressing any issues and continually improving the browser's capabilities.

The combination of unique features, personalized browsing experiences, and continuous development has made Arc Browser a favorite among tech enthusiasts and everyday users alike.

How Was the Arc Browser Vulnerability Discovered?

The Arc Browser vulnerability was unearthed through rigorous investigation. Eva, a prominent hacker, played a key role in this discovery. The process revealed that Arc's use of Firebase was at the core of the problem.

• Initially, Eva noticed that Arc required user accounts and was utilizing Firebase for authentication.
• Through detailed examination, she identified Easels, a user interface for sharing whiteboard-like content, and suspected Firestore was being utilized.
• By using hacking techniques, she created scripts to intercept Firestore calls, discovering stored preferences and user objects.
• Arc Boosts, a feature allowing customization of websites, were found to store custom CSS and JavaScript.

Eva's analysis revealed a critical flaw in the way Firestore creator IDs were handled. She found that:

• Creator IDs could be manipulated to inject malicious JavaScript.
• This process required only the user ID, which could be obtained through referral links or other features like Easels.

The initial analysis involved:

• Setting up a man-in-the-middle proxy to capture Firebase interactions.
• Discovering insufficient security rules in Firebase's configuration, which allowed for unauthorized actions.

Eva's meticulous approach unraveled a significant security issue, prompting immediate action from the Arc team.

What is Firebase and How Did It Contribute to the Exploit?

Firebase is a comprehensive app development platform owned by Google. It offers a variety of tools for building, improving, and growing apps. Common uses of Firebase include:

• Authentication: Simplifies user login processes with secure methods.
• Database Management: Provides real-time databases and Firestore, a flexible, scalable NoSQL cloud database.
• Analytics: Offers detailed user behavior insights and performance tracking.

Despite its popularity, Firebase's default configurations can lead to security vulnerabilities:

• Default Rules: Often, default security rules are too permissive, allowing unauthorized access.
• Direct Database Access: Developers may rely on client-side security checks, which are easier to bypass than server-side checks.
• Insufficient Permissions: Incorrectly set permissions for fields like creator IDs can enable malicious activities.

In the case of the Arc Browser hack:

• Creator IDs were manipulable, which allowed the injection of custom JavaScript.
• The lack of restrictive security rules made it possible to alter creator IDs.
• Firebase's ability to directly interact with the database without additional server-side validation augmented the risk.

Understanding these inherent risks highlights the need for rigorous security practices when using Firebase.

How Did the Exploit Work?

The exploit took advantage of how Firestore handled creator IDs. By manipulating these IDs, a hacker could inject custom JavaScript into the Arc Browser.

Technical Breakdown:

1. Firestore Usage:

   • Arc used Firestore for storing user preferences.
   • Firestore enabled boosts, which allow users to customize websites with CSS and JavaScript.

2. Manipulation of Creator IDs:

   • Each boost had a creator ID linking it to a user.
   • The system had insufficient security rules, allowing unauthorized changes to these IDs.

3. Injection of Custom JavaScript:

   • The hacker first created a boost on their own account.
   • This boost contained JavaScript code meant to run on specified websites.
   • By changing the creator ID to another user’s ID, the boost appeared as if it was created by the target user.

4. Execution:

   • When the target accessed a website, the malicious JavaScript executed.
   • This occurred because the Arc Browser pulled the boost from Firestore, believing it was legitimate for that user.

Code Snippet:

firebase.firestore().collection('boosts')
  .where('creatorID', '==', 'victimID')
  .get()
  .then(querySnapshot => {
    querySnapshot.forEach(doc => {
      // Modify document here
      doc.ref.update({ creatorID: 'hackerID' });
    });
  });

This simple exploitation process highlighted significant security flaws, necessitating immediate fixes.

What Were the Immediate Reactions and Responses?

The discovery of the Arc Browser hack prompted swift and varied responses from different stakeholders. The Arc team reacted by acknowledging the severity of the issue. "We made mistakes. We won't make them again," they assured, pledging to fix the vulnerabilities. Their CTO responded, "We're already working to move off Firebase for new features."

Eva, the notable hacker who discovered the exploit, drew significant attention within the hacker community. Her detailed breakdown of the issue was lauded as both informative and alarming. "Gaining access to anyone's browser without them even visiting a website," she tweeted, capturing the exploit's gravity.

Public reactions were also intense. Many users expressed concerns over browser security flaws and questioned Arc's reliance on Firebase. One user remarked, "This is terrifying! Can’t believe such a flaw existed." The hacker community echoed the sentiment, with some commending Arc for their quick response and others criticizing the initial $2,000 bounty.

Finally, Arc raised the bounty to $20,000, a move that was well-received. Their transparent incident breakdown and commitment to future updates have assuaged some fears, demonstrating a proactive approach to rectifying the issue.

What Steps Have Been Taken to Fix the Vulnerability?

Arc Browser took swift action to address the discovered vulnerability. Their steps included immediate and long-term measures to enhance security.

• Patch Implementation: Within 24 hours of notification, Arc issued a patch to fix the vulnerability. This showed their commitment to immediate resolution.

• Increased Bug Bounty: Initially offering a $2,000 bounty, Arc recognized the severity of the exploit and increased the reward to $20,000.

• Security Reassessment: They began a thorough audit of their Firebase ACL rules. This involved analyzing all fields and implementing tighter restrictions to prevent similar issues.

• Moving Away from Firebase: Recognizing inherent risks, Arc has started migrating new features away from Firebase. This move aims to reduce dependence on potentially vulnerable third-party services.

• External Security Audits: An external firm will now audit Arc Browser, adding an extra layer of security validation.

• Bug Bounty Program: To uncover further vulnerabilities, Arc launched an official bug bounty program. This initiative encourages ethical hackers to test and report security flaws.

These measures demonstrate Arc's commitment to improving browser security and ensuring a safe user experience. For a broader understanding of safety measures like staggered deployments, refer to CrowdStrike's preventive steps.

What Can Users Do to Protect Themselves?

Protecting yourself while using browsers like Arc involves several proactive steps:

• Regularly Update Your Browser: Always ensure your browser is up-to-date with the latest patches and security updates. Developers continuously improve security features to mitigate new threats.

• Be Wary of Links and Referrals: Avoid clicking on suspicious links or sharing your browser's referral links publicly. Malicious actors can exploit these to gain access to your data.

• Use Strong, Unique Passwords: Utilize strong and unique passwords for your browser accounts. Consider using a password manager to keep track of them.

• Enable Two-Factor Authentication (2FA): Whenever possible, enable 2FA on your accounts. This adds an extra layer of security by requiring a secondary form of identification.

• Review Browser Settings Regularly: Periodically check your browser's security and privacy settings. Adjust them to enhance your protection and limit data sharing.

• Stay Informed About Security News: Keep abreast of the latest security news and potential vulnerabilities. Awareness can help you take timely action to protect your browsing activities.

By following these practices, you can significantly enhance your online security and reduce the risk of falling victim to browser-related exploits.