Gaining access to anyones Arc browser without them even visiting a website

Original Article ↗ Hacker News Discussion ↗

Nature and Severity of the Vulnerability

  • Commenters describe the bug as “catastrophic” and “rookie-level”: client-controlled user IDs in Firebase rules let an attacker take over any Arc account and run arbitrary JS on every page those users visit, including privileged browser UI.
  • Many note that browsers are extremely security‑sensitive (on par with OS or SSH daemons), so a flaw of this type is seen as reputation‑destroying for a browser vendor.
  • Some point out that the exploit was trivial to find and exploit, which raises fears there may be more undiscovered issues.

Firebase, Security Model, and Responsibility

  • Strong criticism of Firebase’s security model: default‑deny rules exist, but it’s easy to misconfigure and “bolt‑on” rules are a common foot‑gun.
  • Others push back: Firestore rules deny everything by default, docs clearly explain request.auth.uid and ownership checks; this is framed as a basic “never trust the client” failure by Arc, not Firebase.
  • Several argue that letting clients talk directly to a shared DB is inherently risky compared to a traditional backend API.

Privacy and Arc’s Architecture

  • Arc’s mandatory account requirement was already a red flag for many; several say that alone kept them from trying it.
  • The thread highlights Arc sending visited hostnames plus user ID to Firebase for Boosts, contradicting marketing claims that they “don’t know which sites you visit.” Even if only when certain features are open, this is seen as a serious policy breach.
  • Some are disturbed that Arc depends heavily on Firebase at all for a privacy‑branded browser, and wonder what breaks if Firebase is down.

Response, Communication, and Bug Bounty

  • Positive notes: very fast technical response (roughly a day) after private disclosure; commitment to move off Firebase, bolster security, and create a formal bounty program.
  • Negative notes: $2,000 bounty is widely viewed as insultingly low for a browser‑wide account takeover; many say this signals Arc doesn’t value security highly.
  • Several criticize delayed, low‑visibility communication (initially not front‑paging the incident write‑up), seeing it as image‑protective rather than user‑protective.

User Reactions and Alternatives

  • Multiple users state they are uninstalling Arc or advising others to do so; others say they’ll continue using it but are uneasy.
  • Suggested alternatives with similar UX ideas include Firefox (with extensions like Sideberry/Tree Style Tabs), Zen Browser, Floorp, Brave, Vivaldi, Edge, Safari, and Kagi’s Orion.
  • Broader skepticism appears toward VC‑funded browsers with no clear business model but deep access to user data.