How things work matters

In a span of maybe two weeks I'm reading the second article where a software that looks nice on the surface turns out to be horrible in the inside.

This is a good reminder that having nice features is important, but how things work under the hood matters as well. Sometimes it results on a fine, such as when 23andMe failed to secure user access or when Zoom lied about end-to-end encryption.

But fines are the rare exceptions. More often it just allows hackers to gain and modify data and put users at risk.

The first story is about this blog post where the author could insert scripts into the users of the Arc browser.

I haven't heard of Arc browser before, but according to its own description it's an enhanced Chromium:

Experience a calmer, more personal internet in this browser designed for you. Let go of the clicks, the clutter, the distractions with the Arc browser.

It comes with a feature called Boosts that, according to the documentation:

Boosts are a new way to edit and remix your internet, and share it with friends too!

In a nutshell, you can add rules that change things on pages like the font size, colors, size, capitalization, and, of course, allows any JavaScript to be inserted.

And since these can be shared, that means it is stored on a remote server.

Of course, there was a security vulnerability here. From the article:

  • arc boosts can contain arbitrary javascript
  • arc boosts are stored in firestore
  • the arc browser gets which boosts to use via the creatorID field
  • we can arbitrarily chage the creatorID field to any user id

Boosts can be useful features. But if you look into how they work they allow a remote party to inject any script into any of site you visit. Any vulnerability on their side directly compromises you. Were it to be written on their webpage, I'm sure many users would think twice to install the browser.

The second story is this blog post where the author could gain a real-time view of all restaurants using a specific ordering system.

A few days ago, I went to a cafe near my home. I sat down and scanned the QR code on the table. It took me to a website displaying the cafe's menu. It asked me for my name and Whatsapp mobile number. I entered the details and placed the order.

/api/morder/suggestion/ongoing/items?storeID=XXXX

/api/morder/suggestion/items/purchase/history?merchantID=YYYY&storeID=XXXX

The first request listed the food items currently ordered at the cafe. The second returned how many times each item was ordered in the past month.

Some more APIs later:

From the mobile number, I could see all the food he had ever ordered in this cafe.

Getting the revenue for the store:

The purchase history API provided a count of each food item ordered over the past month. The menu API gave the price of each food item. So I wrote a small script to calculate the cafe's dine-in revenue for the last month.

Then in other restaurants:

I could now see all the ongoing orders from all their restaurants in real time!

And also place orders for other people's tables:

I figured out that I can remotely place an order at any restaurant table where people were already sitting without needing their table PIN.

On the surface only the ordering experience is visible. But how it works allows any people to see all the sales records of any restaurant and also make inconveniences for the guests.

Master AWS serverless app development

Well-researched books and courses to help you with your serverless journey in one single package.

A package of 4 books and 1 course.

Build deep understanding and accelerate your learning of AWS, serverless, and web technologies.

More info and sign up >
September 23, 2024
Author's image
Tamás Sallai

I came to believe that great software craftsmanship starts with understanding the underlying technologies better. You can't rely on "easy solutions" and "quick fixes" when you want dependable systems. I write about technology to deepen my knowledge and also to help others solve problems.

I'm the author of several books and courses.

Author's image

Hi, I'm Tamás,

I write articles about AWS, Javascript, security, and web technologies.

I'm the author of several books and courses.

Free PDF guide

Sign up to our newsletter and download the "Foreign key constraints in DynamoDB" guide.