/cdn.vox-cdn.com/uploads/chorus_asset/file/25631539/STK283_ARC_BROWSER.jpg?w=1200&resize=1200,0&ssl=1 "Researcher reveals ‘catastrophic’ safety flaw within the Arc browser")
Arc has a characteristic referred to as Boosts that permits you to customise any web site with customized CSS and Javascript. Since operating arbitrary Javascript on web sites has potential safety considerations, we opted to not make Boosts with customized Javascript shareable throughout members, however we nonetheless synced them to our server in order that your individual Boosts can be found throughout units.
We use Firebase because the backend for sure Arc options (extra on this beneath), and use it to persist Boosts for each sharing and syncing throughout units. Sadly our Firebase ACLs (Entry Management Lists, the way in which Firebase secures endpoints) had been misconfigured, which allowed customers Firebase requests to alter the creatorID of a Increase after it had been created. This allowed any Increase to be assigned to any consumer (offered you had their userID), and thus activate it for them, resulting in customized CSS or JS operating on the web site the enhance was energetic on.