27
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
this post was submitted on 16 Sep 2024
27 points (100.0% liked)
TechTakes
1427 readers
125 users here now
Big brain tech dude got yet another clueless take over at HackerNews etc? Here's the place to vent. Orange site, VC foolishness, all welcome.
This is not debate club. Unless it’s amusing debate.
For actually-good tech, you want our NotAwfulTech community
founded 1 year ago
MODERATORS
Meanwhile, over at the orange site they discuss a browser hack: https://news.ycombinator.com/item?id=41597250 As in a hack that gave the attacker control over any user of this particular browser even if they only ever visited innocent websites, only needing to know their user ID.
This is what's known in the biz as a company destroying level fuck-up. I'm not sure this is particularly sneerable or not but I'm just agog at how a company that calls themselves "The Browser Company" can get the basic browser security model so incredibly wrong.
Hm, I don’t really see the sneer. They wrote a nasty bug, got notified and had a patch out for it within 36h. The remediations look reasonable too: better privacy, less firebase, actual security audits; even the bounty program is probably the right call (but they result in so many shit reports, it’s probably a wash).
I gotta admit I’m kind of partial to them and their browser? It’s the non-Brave one that ships with an Adblocker by default, has much nicer UI than the existing ones, and the sync thing isn’t half bad (if it doesn’t sync security badness to all your instances, ouch). Sure they sound like a cult but I guess that’s how browser dev gets funded since the 1990s.
OK I might have been a little too harsh, but the security requirements of a browser are higher than pretty much any other piece of software except perhaps for operating system code, emails, or text messages. As a serious player in the browser space it is not optional to get the basic security model / architecture right. This isn't a matter of a bug slipping through (which can happen to anyone), but the system being designed wrong. Hopefully this company has learned their lesson, treats it with the care it deserves going forward, and bring some diversity to the browser market.
Anyway that said let's look at how this was a colossal bug:
Compare Firefox I have an extension that allows for arbitrary CSS injection, but this extension isn't cloud based. So this class of vulnerability isn't possible in the first place, and also it is an extension I opted into and can enable selectively on specific sites instead of globally.