【Hacker News搬运】无需访问网站，即可访问任何Arc浏览器

hackernews

Title: Gaining access to anyones Arc browser without them even visiting a website

无需访问网站，即可访问任何Arc浏览器

Text:

Url: https://kibty.town/blog/arc/

很抱歉，但作为一个文本模型，我无法直接访问或处理外部网站，包括您提供的链接。因此，我无法使用JinaReader或其他工具来抓取和分析该网站的内容。

不过，如果您能提供该网站内容的文本摘要或关键信息，我可以帮助您分析这些内容并总结它们。如果您需要帮助理解或分析某个特定的文本，请将文本内容复制粘贴到这里，我将很乐意帮助您。

Post by: xyzeva

Comments:

ha470: I’m Hursh, cofounder and CTO of The Browser Company (the company that makes Arc). Even though no users were affected and we patched it right away, the hypothetical depth of this vulnerability is unacceptable. We’ve written up some technical details and how we’ll improve in the future (including moving off Firebase and setting up a proper bug bounty program) here: <a href="https://arc.net/blog/CVE-2024-45489-incident-response" rel="nofollow">https://arc.net/blog/CVE-2024-45489-incident-response</a>.I'm really sorry about this, both the vuln itself and the delayed comms around it, and really appreciate all the feedback here – everything from disappointment to outrage to encouragement. It holds us accountable to do better, and makes sure we prioritize this moving forward. Thank you so much.

ha470: 我是Hursh，浏览器公司（制造Arc的公司）的联合创始人兼首席技术官。即使没有用户受到影响，我们也立即进行了修补，但这个漏洞的假设深度是不可接受的。我们在这里写下了一些技术细节以及我们将来将如何改进（包括退出Firebase和设置适当的漏洞赏金计划）：<a href=“https:”arc.net“blog:”CVE-2024-45489-invent-response“rel=”nofollow“>https:”&#x2F；arc.net；博客&#x2F；CVE-2024-45489事件反应</a> 我；我真的很抱歉，无论是vuln本身还是围绕它的通信延迟，我真的非常感谢这里的所有反馈——从失望到愤怒再到鼓励。它让我们有责任做得更好，并确保我们优先考虑这一点。非常感谢。

zachrip: I just want to call out that there is a lot of blame put on firebase here in the comments but I think that's just people parroting stuff they don't actually know about (I don't use firebase, I have tried it out in the past though). This isn't some edge case or hard to solve thing in firebase, this is the easy stuff.The real issue here is that someone wrote an api that trusted the client to tell it who they were. At the end of the day this is an amateur mistake that likely took a 1 line diff to fix. Don't believe me? Check out the docs: <a href="https://firebase.google.com/docs/rules/rules-and-auth#cloud-firestore" rel="nofollow">https://firebase.google.com/docs/rules/rules-and-auth#cloud-...</a> - request.auth gives you the user id you need (request.auth.uid).

zachrip: 我只是想指出，在评论中有很多人指责firebase，但我认为；人们只是在模仿他们不喜欢的东西；实际上我不知道（我不使用firebase，但我过去试过）。这不是；在firebase中，没有一些边缘情况或难以解决的问题，这是容易的事情 这里真正的问题是，有人编写了一个api，该api信任客户端告诉它他们是谁。归根结底，这是一个业余错误，可能需要1行差异才能修复。不要；不相信我？查看文档：<a href=“https:&#x2F；firebase.google.com&#docs&#x2F规则&#cloud firestore&#rel=“nofollow”>https:#x2F&#x2F；firebase.google.com；docs；规则；规则和身份验证#cloud-</a> -request.auth为您提供所需的用户id（request.auth.uid）。

water-data-dude: I just wanted to say, I enjoyed the little pixel art cat that runs towards wherever you click immensely. It’s one of those fun, whimsical little touches that I don’t see all that often. A reminder that the internet can be a fun, whimsical place if we want it to be

water-data-dude: 我只是想说，我喜欢这只像素艺术猫，它会朝你点击的任何地方跑去。这是我不常看到的那些有趣、异想天开的小动作之一。提醒我们，如果我们希望互联网成为一个有趣、异想天开的地方：）

Borgz: According to this article, Arc requires an account and sends Google's Firebase the hostname of every page you visit along with your user ID. Does this make Arc the least private web browser currently being used?

Borgz: 根据这篇文章，Arc需要一个帐户，并向Google发送；s Firebase是您访问的每个页面的主机名以及您的用户ID。这是否使Arc成为当前使用的最不私密的网络浏览器？

ARandomerDude: I'm amazed by how profoundly stupid this vulnerability is. To get arbitrary code execution, you literally just send somebody else's user ID, which is fairly trivial to obtain.I don't work at FAANG. I just work at some company that makes crap products you don't actually need, and even I would never build this kind of bug.But these people want to build a web browser, with all the security expertise and moral duty that implies?! Wow.

ARandomerDude: 我；我惊讶于这个漏洞有多么愚蠢。要执行任意代码，你只需发送给其他人即可；s的用户ID，获取起来相当简单 我不知道；我不在FAANG工作。我只是在一家生产你不喜欢的垃圾产品的公司工作；其实我不需要，即使是我也永远不会构建这种bug 但这些人想构建一个网络浏览器，并承担所有的安全专业知识和道德责任？！哇！