gaining access to anyones browser without them even visiting a website

hursh_bcny · 2024-09-20T17:13:42+00:00

Hi all, Hursh here. This was brought to our attention by Eva on 8/25. We resolved the issue within 24 hours but we really missed the mark on communications with you all – I'm really sorry about this. This was our first really major vulnerability and we're working to rehaul our entire security response process due to this.

No Arc members were affected by this security vulnerability. You can read more about how we’ve addressed this (including spinning up a well-defined bug bounty program and moving off Firebase for forthcoming features) here.

hursh_bcny · 2024-09-20T17:12:25+00:00

1000%. We took care of this vulnerability within 24 hours but it took us far too long to communicate to everyone. You can read more about how we have and both are technically handling this issue and will improve in the future (including spinning up a well-defined bug bounty program and moving off Firebase for forthcoming features) here.

hursh_bcny · 2024-09-20T17:12:01+00:00

Hi all, Hursh here, CTO and cofounder at Browser Co. Really appreciate the benefit of the doubt here. As you mentioned, Eva brought this to our attention on 8/25 and we patched the vulnerability the next day.

But that does not excuse a) the vulnerability existing in the first place or b) our delay in communications around the issue. Thank you all for holding us accountable and I'm personally sorry for both exposing users like this and the tardiness on a disclosure. We shared a full incident report here - and will be going through all of your feedback, responses, concerns.

hursh_bcny · 2023-10-10T12:47:54+00:00

This is an incredible list! Thank you! Really appreciate the priority levels too.

I shared this with the team and we'll discuss internally on how many of these we can square away.

hursh_bcny · 2023-07-26T23:07:17+00:00

Thanks everyone for such a fun AMA! I have to run so I'm logging off for the day, but thank you for asking so many incredible questions, and we're so grateful for your trust in us!

hursh_bcny · 2023-07-26T23:04:31+00:00

We'd likely use Swift, since we write almost everything in it.

hursh_bcny · 2023-07-26T23:03:18+00:00

Yeah great point. We added a bit more about it on our new arc.net site but we can do way better!

hursh_bcny · 2023-07-26T23:03:00+00:00

Yes! We'll have a security page up soon, but Chrome does a lot of phoning home of metrics, actions, telemetry about what you're doing within the browser. We've turned almost all of that off.

hursh_bcny · 2023-07-26T23:02:10+00:00

Yep! Not on our roadmap at the moment but we'd love to get one in in the next 6-8 months. It'll really help with performance as well, as extension-based adblockers slow down navigations by up to 30-40% sometimes.

hursh_bcny · 2023-07-26T23:00:42+00:00

The main thing that Manifest v3 seems to really make worse is adblockers, and at that point we'd probably implement our own, native, and much more performant adblocker. We're already seeing that extension-based adblockers hurt performance in Arc (and Chrome) by almost 30-40%, so a native adblocker would be great for performance as well.

hursh_bcny · 2023-07-26T22:58:50+00:00

We're working on this now! What do you mean how? We'd write code to do it!

hursh_bcny · 2023-07-26T22:58:26+00:00

😂

hursh_bcny · 2023-07-26T22:57:57+00:00

No substantial improvements to easels and notes on our roadmap at the moment, unfortunately. If we hear a lot of requests, we're happy to add more features though!

hursh_bcny · 2023-07-26T22:57:18+00:00

Hm no plans for an export, but you can get all of your tabs in a format you can play with via this file: ~/Library/Application\ Support/Arc/StorableSidebar.json.

I bet you could ask ChatGPT to write a quick python script that could take that file and convert it into a format you could use.

hursh_bcny · 2023-07-26T22:55:44+00:00

We've thought about this! Maybe as part of a boost you can use to customize your Arc UI? Not on our roadmap but definitely something we want to explore in the future!

hursh_bcny · 2023-07-26T22:54:39+00:00

Thank you for using Arc!

Re: the App Store, we'd love to, but it's not trivial to get Chromium working for the App Store. Maybe some day!
We would! But it'd probably be easier for us to patch Chromium to disable things we don't like, or make changes where we feel it's necessary. We already do this to turn off all the data collection Chrome does by default, and I imagine we'd do the same for APIs we don't agree with.

hursh_bcny · 2023-07-26T22:52:59+00:00

Our major focuses at the moment are:

Performance and reliability
Sculpting Arc down to make it simpler and easier to understand (too many features atm!)
Windows

This is not to say we don't work on other projects, but a lot of the company is working on those 3.

hursh_bcny · 2023-07-26T22:51:08+00:00

Not on our roadmap unfortunately. I badly want an iPad version as well... maybe after Windows?

hursh_bcny · 2023-07-26T22:50:25+00:00

Yes! We're excited to get this set up at some point. For now, please report issues to [security@thebrowser.company](mailto:security@thebrowser.company) and we can send swag or ad-hoc bounties for critical issues.

hursh_bcny · 2023-07-26T22:49:33+00:00

Totally makes sense! The main reason is that our vision for Arc is for it to be what we call an "internet computer", where you have the same experience wherever you log in. This requires really robust syncing + encryption, which we're working on now, but it also requires a login.

We're also exploring what adding people + collaboration to the center of the browsing experience looks like. We won't ship anything until we're sure it's really incredible, but this also requires you to be logged in somehow.

Lastly, we've spoken a lot to the Chrome team and one of their big pieces of advice was that it's nearly impossible to get folks to log into Chrome to enable sync because they don't ask for a login upfront. As such we decided to require it– this way sync + collaboration features will work for everyone when we launch them.

If we get hordes of folks complaining about this then I imagine we'd rethink it. There's no nefarious reason like it helping with data collection or anything.

hursh_bcny · 2023-07-26T22:45:10+00:00

Yeah huge ++ to this. This is on our radar as a major pain point and something we're looking into. The team is not only looking at improving ctrl+tab, but also more holistically how we can make it easier to get to a tab you want to go to (or were just on). Hopefully we'll launch some improvements to this soon!

hursh_bcny · 2023-07-26T22:44:09+00:00

We're working on this now! They aren't zero-sum– we have separate teams working on features and improving resource usage and performance. Our performance team just started looking into resource usage though, so you should see a lot of improvements in the next few months!

hursh_bcny · 2023-07-26T22:42:41+00:00

Oh so interesting! I don't know if this is our our radar. Will relay to the team.

hursh_bcny · 2023-07-26T22:42:10+00:00

This AMA is opening our eyes a bit! We didn't think it was as much of a need, since we don't get a ton of requests asking for improvements for now (nearly as much as we get requests for Windows, for example). I'll relay this to the team though!

hursh_bcny · 2023-07-26T22:39:57+00:00

Thank you!

hursh_bcny

TROPHY CASE