ARK Web Browser Security Vulnerability Analysis

Oct 11, 2024

The Code Report: ARK Web Browser Security Breach

Introduction

  • Recent catastrophic vulnerability in the ARK web browser.
  • Exploit allowed hackers to execute CSS and JavaScript across websites (akin to Godmode cross-site scripting).
  • Potential for hackers to log passwords, track history, etc.
  • Exploit did not require visiting a malicious site.
  • Issue has been patched without any user exploitation.

Underlying Cause

  • ARK is built on the Chromium engine, known for its security.
  • Vulnerability due to misconfigured security rules in Firebase backend.

Impact on ARK Browser

  • ARK is marketed as a Chrome replacement focused on privacy and security.
  • Built with a user-friendly UI in Swift on Chromium.
  • Features tab organization and command palette-like shortcuts.

Discovery and Resolution

  • Discovered by security researcher XYZ3VA.
  • Reported and patched by the ARK team promptly.

Explanation of Vulnerability

  • ARK feature "Boosts" allows CSS/JavaScript customization of any website.
  • Boosts can be shared, though custom JavaScript can't be shared to avoid exploitation.
  • For multi-device use, boosts are stored on Google’s Firebase and Cloud Firestore.

Details on Firebase and Firestore

  • Firebase generates user IDs for data storage.
  • Uses Firestore, a NoSQL document database similar to MongoDB.
  • Security rules are essential but can be misconfigured.

Specifics of the Exploit

  • Boost data stored in a collection with a creator ID pointing to the user.
  • Exploit allowed changing user ID in a user's boost data.
  • Example: Bob could alter a boost to affect Alice's data, e.g., altering Google Maps directions.

Security Oversight

  • Allowing change of creator ID was a major security oversight.
  • Could be fixed with a single line in Firestore security rules.

Responsibility and Lessons Learned

  • Blame falls on ARK for the security oversight.
  • Importance of rigorous security testing emphasized.
  • ARK is moving away from Firebase, possibly to deflect blame.

Alternative Solutions

  • Clerk as an alternative for user management and authentication.
    • Offers biometric passkeys, multi-factor auth, and seamless UI integration.
    • Pre-built components and user management dashboard.

Conclusion

  • The ARK vulnerability highlights the importance of robust security practices.
  • Firebase's ease might have led to developer complacency, but it remains a strong platform.
  • Clerk presents itself as a secure alternative for managing user data.

Thanks for watching The Code Report, and stay tuned for more insights.