ARK Browser Vulnerability Report and Fixes

Oct 11, 2024

The Code Report - ARK Browser Vulnerability

Overview

  • ARK browser experienced a severe vulnerability where malicious actors could execute CSS and JavaScript across sites.
  • Potential threats included logging passwords, tracking history, and inserting fake content.
  • The vulnerability did not require visiting a malicious website.
  • The issue has been patched, and no users were exploited.

Cause of Vulnerability

  • Root cause traced back to misconfigured security rules on Firebase.
  • ARK browser is built on the secure Chromium engine.

ARK Browser Details

  • Marketed as a private and secure Chrome alternative.
  • Features include side-tab organization and a command palette-like feature from VS Code.
  • Built using Swift for frontend UI.

Details of the Exploit

  • Discovered by researcher XYZ3VA, promptly reported and fixed.
  • Exploit related to the "boost" feature allowing customization of websites with CSS and JavaScript.
  • Boosts can be shared among friends but not JavaScript.
  • Multiple device users require storage of executable JavaScript on backend using Firebase.

Firebase Involvement

  • Firebase generates a user ID during login.
  • User data stored in Firestore, a NoSQL document database.
  • Documents linked to user IDs, accessible from client-side code.

Security Misconfiguration

  • Security rules in Firestore should have prevented changing user IDs.
  • Boost collection allowed creator ID changes, enabling malicious boosts.
  • Potential fix: Disallow updates to creator ID if mismatched with authenticated user ID.

Blame and Consequences

  • Responsibility lies with ARK for misconfiguring security rules.
  • Considered an egregious oversight, similar to exposing API keys.

Firebase's Role

  • Firebase's security rules are straightforward but were poorly implemented by ARK.
  • ARK deciding to move away from Firebase post-incident.

Security Best Practices

  • Importance of thorough security testing and robust security logic.
  • Mention of alternative user management platforms like Clerk.
    • Clerk offers secure sign-in methods and user management features.

Conclusion

  • Emphasizes the need for bulletproof security in handling executable code.
  • Promotional mention of Clerk as a secure authentication alternative.

This report highlights the criticality of proper security configuration in web applications, especially those dealing with sensitive data and executable code.