Arc has a characteristic referred to as Boosts that lets you customise any web site with customized CSS and Javascript. As a result of operating arbitrary Javascript on web sites has potential safety points, we've opted to not make Boosts with customized Javascript shareable between members, however we've nonetheless synced them to our server so your personal Boosts can be found on all gadgets.
We use Firebase as a backend for sure Arc capabilities (extra on that under) and use it to persist Boosts for each sharing and syncing throughout gadgets. Sadly, our Firebase ACLs (entry management lists, the best way Firebase secures endpoints) have been misconfigured, which allowed customers of Firebase requests to vary the creator ID of a Increase after it was created. This allowed any Increase to be assigned to any consumer (supplied you had the consumer ID) and thus allow it for them, leading to customized CSS or JS operating on the web site it was on enhance energetic.