How a simple mistake left Arc Browser wide open to hackers

preview_player
Показать описание

A major exploit was discovered in the Arc browser recently that allowed an attacker to remotely execute JavaScript on any website. Learn how this vulnerability was caused by a simple Firebase misconfiguration.

#programming #hack #thecodereport

💬 Chat with Me on Discord

🔗 Resources

🔥 Get More Content - Upgrade to PRO

Use code YT25 for 25% off PRO access

🎨 My Editor Settings

- Atom One Dark
- vscode-icons
- Fira Code Font

🔖 Topics Covered

Firebase Arc Browser Exploit explained
Pitfalls of using Firebase
Arc browser vs Chrome
Browser exploits in 2024
How to hack Arc browser
Firebase rules fails
  1. Fireship
  2. webdev
  3. app development
  4. lesson
  5. tutorial
Рекомендации по теме
5 COMMON MISTAKES 0:06:52

5 COMMON MISTAKES YOUNG WINGERS MAKE & how to avoid them

5 beginner mistakes 0:07:05

5 beginner mistakes to AVOID when shooting

A mistake that 0:00:15

A mistake that made it even better #kpop #nmixx #shorts

Common 1v1 Defending 0:00:19

Common 1v1 Defending MISTAKE ❌🚧

NEVER Do Push-Ups 0:00:32

NEVER Do Push-Ups Like This (3 Mistakes)

AVOID these 5 0:01:00

AVOID these 5 football mistakes!

Push-Up Mistake (AVOID 0:00:10

Push-Up Mistake (AVOID THIS!) #pushups #pushupmistakes

Skincare Mistakes That 0:00:27

Skincare Mistakes That Absolutely Destroys Your Face!

🥵❌ Form Correction 0:00:18

🥵❌ Form Correction for “BEGINNERS” !! #gym #mistakes #youtubeshorts

How to wash 0:00:21

How to wash face | Avoid these mistakes | Dermatologist

PUSH UPS Mistake 0:00:28

PUSH UPS Mistake Killing your shoulders. DO THIS INSTEAD. #pushups

MIDFIELDERS need to 0:07:37

MIDFIELDERS need to avoid these 3 mistakes!

WORST Hamstring Stretching 0:00:24

WORST Hamstring Stretching Mistake (Don't do this!)

Lat Pulldown Mistakes 0:00:21

Lat Pulldown Mistakes (KILLING BACK GAINS!)

Learn Squat | 0:00:16

Learn Squat | Squat Mistake | Saurabh Fitness |

99% People Make 0:00:35

99% People Make This☝️ Common Mistake in English | English Speaking Practice #englishmistakes #learn...

Do you make 0:00:13

Do you make any of these mistakes? These may differ depending on hair type 🫶🏻 #haircareroutine

Back Exercise Mistakes 0:00:26

Back Exercise Mistakes (KILLING YOUR GAINS‼️)

3 biggest driver 0:05:27

3 biggest driver mistakes golfers make (easy, simple fix)

This Common Mistake 0:00:48

This Common Mistake Can Ruin Your Monitor

3 Ways Of 0:03:02

3 Ways Of Looking At Our Mistakes | Gaur Gopal Das

❌ Overhead Tricep 0:00:08

❌ Overhead Tricep Extension Mistake #shorts

Accept Your Mistakes 0:01:00

Accept Your Mistakes & Move On - Jordan Peterson

Want To Build 0:00:21

Want To Build Big Biceps? AVOID THESE MISTAKES ❌

Комментарии
Автор

I was terrified about this vulnerability because I thought someone was going to use it to push their new JavaScript framework onto my computer.

mathieu
Автор

3:41 ayy made it into a fireship video

hi.im.vijayy
Автор

* Proprietary browser made by a for-profit startup
* Requires an account to use
* Pinky-promises absolute privacy yet gives the browser away for free and expect to be profitable
* Already had a vulnerability worthy of a 9.8 CVSS
* Valued the bounty for said 9.8 CVE a measly $2000


Yeah, I'm staying as far away from that as possible...

AQDuck
Автор

YES!! First exploit I can actually understand 🎉🎉🎉

suplays
Автор

luckily i was safe from this exploit by using arc on windows where 95% of the features from the macOS version are literally not implemented 👍

sadfacekira
Автор

regardless of any security issues, i still don't trust a VC-backed browser

weird_autumn
Автор

"I use Arc, by the way."

Really, that aged well.

jordank
Автор

Arc FAQ: "Rest assured that your data and security is of utmost importance to us".
Real life: "Databases hard, access control not understand".

KETHERCORTEX
Автор

xyzeva had a good quote in her article that was like “firestore is a database-as-a-backend service that allows for developers to not care about writing a backend”

samranda
Автор

Imagine using Google Maps to visit the near McD's and you end up getting diddled by Diddy.

addanametocontinue
Автор

Shouldn't have to have an account to use a browser in the first place. Huge red flag. But w/e

HiImKyle
Автор

the way to sneak Diddy in the video was really great

edwinanciani
Автор

3:00 intercepting gmaps and redirecting you to diddy's mansion is just pure evil LMAO

qawmkl
Автор

When I first heard of Arc I said "if it's not open-source, or doesn't have very public audits, not interested", I got a lot of hate. Now here we (predictably) are lol.

TRDiscordian
Автор

whenever I hear someone or company is using Firebase, soon after, I hear there is an exploit on their apps because the developers simply didn't know what they are doing. I wonder how many other multimillion dollar apps were developers that don't know what they are doing

jmonify
Автор

00:12 so many memories. This was in my primary school. Seeing this poster in Head Teachers office.

MRPtech
Автор

I really wish the firebase rules were reversed. Everything locked down by default and you have to explicitly allow read/write for things. Would make life so much easier.

Metruzanca
Автор

If you need to create an account for something that's private and secure, it's not private and secure.

covle
Автор

Eva is an absolute legend at this point. She’s exposed security flaws in over 100, 000 websites using Firebase and now even Arc Browser. Holy!!

damonguzman
Автор

And people were mocking me for not wanting to use browser with forced login.

phead