Hacker News new | ask | show | jobs
by devwastaken 2159 days ago
Exactly this. Vrchat had chromium for a while, but exploits got it removed. Itd be great if it was just a static browser engine, no Js, with a strong sandbox. So at most all that can be done is messing with the browsers runtime memory itself, not the system it's on.
2 comments
dleslie 2159 days ago
Heh, that's why I asked. I'm one of the developers of VRChat.
link
mhh__ 2159 days ago
What kind of exploits? Was the browser not isolated at all or was it (say) sandbox-escaping via the JS?
link
dleslie 2159 days ago
We posted this:

https://medium.com/@vrchat/security-update-web-panels-4699fa...

It was severe enough that I ripped them out, though we were unable to find any evidence of the vulnerability in use.

link
mmmkkaaayy 2158 days ago
But what was the vulnerability? It's not mentioned in the post.
link
dleslie 2158 days ago
It's been a few years, and I can't recall the specifics with certainty. It was a serious Chromium SVE that was unpatched in the middleware we were using.
link