{"id":45036,"date":"2024-09-20T15:38:50","date_gmt":"2024-09-20T19:38:50","guid":{"rendered":"https:\/\/mjtsai.com\/blog\/?p=45036"},"modified":"2024-09-20T15:38:50","modified_gmt":"2024-09-20T19:38:50","slug":"gaining-access-to-anyones-arc-browser","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2024\/09\/20\/gaining-access-to-anyones-arc-browser\/","title":{"rendered":"Gaining Access to Anyone&rsquo;s Arc Browser"},"content":{"rendered":"<p><a href=\"https:\/\/kibty.town\/blog\/arc\/\">xyzeva<\/a> (via <a href=\"https:\/\/news.ycombinator.com\/item?id=41597250\">Hacker News<\/a>):<\/p>\n<blockquote cite=\"https:\/\/kibty.town\/blog\/arc\/\">\n<p>firestore is a database-as-a-backend service that allows for developers to not care about writing a backend, and instead write database security rules and make users directly access the database.<\/p>\n<p>this has <a href=\"https:\/\/env.fail\/posts\/firewreck-1\">of course sparked a lot of services having insecure or insufficient security rules<\/a> and since researching that, i would like to call myself a firestore expert.<\/p>\n<p>[&#8230;]<\/p>\n<ul>\n<li>arc boosts can contain arbitrary javascript<\/li>\n<li>arc boosts are stored in firestore<\/li>\n<li>the arc browser gets which boosts to use via the <code>creatorID<\/code> field<\/li>\n<li><strong>we can arbitrarily change the <code>creatorID<\/code>&nbsp;field to any user id<\/strong><\/li>\n<\/ul>\n<p>thus, if we were to find a way to easily get someone elses user id, we would have a full attack chain<\/p>\n<\/blockquote>\n\n<p><a href=\"https:\/\/arc.net\/blog\/CVE-2024-45489-incident-response\">Hursh Agrawal<\/a>:<\/p>\n<blockquote cite=\"https:\/\/arc.net\/blog\/CVE-2024-45489-incident-response\">\n<p>We want to let all Arc users know that a security vulnerability existed in Arc prior to 8\/25\/24. We were made aware of a vulnerability on 8\/25, it was fixed on 8\/26. This issue allowed the possibility of remote code execution on users&rsquo; computers. We've patched the vulnerability immediately, already rolled out the fix, and verified that no one outside of the security researcher who discovered the bug has exploited it. This means no members were affected by this vulnerability, and you do not need to take any action to be protected.<\/p>\n<\/blockquote>\n\n<p><a href=\"https:\/\/news.ycombinator.com\/item?id=41598211\">bhaney<\/a>:<\/p>\n<blockquote cite=\"https:\/\/news.ycombinator.com\/item?id=41598211\"><p>There are a lot of major security vulnerabilities in the world that were made understandably, and can be forgiven if they&rsquo;re handled responsibly and fixed.<\/p><p>This is not one of them. In my opinion, this shows a kind of reputation-ruining incompetency that would convince me to never use Arc ever again.<\/p><\/blockquote>\n\n<p>As I wrote <a href=\"https:\/\/mjtsai.com\/blog\/2023\/05\/03\/arc-browser\/\">before<\/a>, I thought it was <a href=\"https:\/\/x.com\/abooAyoob\/status\/1837094302750564623\">sketchy<\/a> that they required an account, and it&rsquo;s also a red flag that the CVE response blog post does not seem to <a href=\"https:\/\/news.ycombinator.com\/item?id=41603984\">actually be linked<\/a> from their blog.<\/p>\n\n<p>Previously:<\/p>\n<ul>\n<li><a href=\"https:\/\/mjtsai.com\/blog\/2023\/05\/03\/arc-browser\/\">Arc Browser<\/a><\/li>\n<\/ul>","protected":false},"excerpt":{"rendered":"<p>xyzeva (via Hacker News): firestore is a database-as-a-backend service that allows for developers to not care about writing a backend, and instead write database security rules and make users directly access the database. this has of course sparked a lot of services having insecure or insufficient security rules and since researching that, i would like [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"apple_news_api_created_at":"2024-09-20T19:38:52Z","apple_news_api_id":"5e99b18e-ad17-4a0c-bdd8-85fc5358b7b4","apple_news_api_modified_at":"2024-09-20T19:38:52Z","apple_news_api_revision":"AAAAAAAAAAD\/\/\/\/\/\/\/\/\/\/w==","apple_news_api_share_url":"https:\/\/apple.news\/AXpmxjq0XSgy92IX8U1i3tA","apple_news_coverimage":0,"apple_news_coverimage_caption":"","apple_news_is_hidden":false,"apple_news_is_paid":false,"apple_news_is_preview":false,"apple_news_is_sponsored":false,"apple_news_maturity_rating":"","apple_news_metadata":"\"\"","apple_news_pullquote":"","apple_news_pullquote_position":"","apple_news_slug":"","apple_news_sections":"\"\"","apple_news_suppress_video_url":false,"apple_news_use_image_component":false,"footnotes":""},"categories":[2],"tags":[2374,1755,131,2095,30,32,2598,355,96],"class_list":["post-45036","post","type-post","status-publish","format-standard","hentry","category-technology","tag-arc-browser","tag-breach","tag-bug","tag-exploit","tag-mac","tag-macapp","tag-macos-15-sequoia","tag-privacy","tag-web"],"apple_news_notices":[],"_links":{"self":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/45036","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/comments?post=45036"}],"version-history":[{"count":1,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/45036\/revisions"}],"predecessor-version":[{"id":45037,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/45036\/revisions\/45037"}],"wp:attachment":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/media?parent=45036"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/categories?post=45036"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/tags?post=45036"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}