Arc has a function known as Boosts that lets you customise any web site with customized CSS and Javascript. Since operating arbitrary Javascript on web sites has potential safety issues, we opted to not make Boosts with customized Javascript shareable throughout members, however we nonetheless synced them to our server in order that your individual Boosts can be found throughout units.
We use Firebase because the backend for sure Arc options (extra on this under), and use it to persist Boosts for each sharing and syncing throughout units. Sadly our Firebase ACLs (Entry Management Lists, the best way Firebase secures endpoints) have been misconfigured, which allowed customers Firebase requests to alter the creatorID of a Increase after it had been created. This allowed any Increase to be assigned to any person (offered you had their userID), and thus activate it for them, resulting in customized CSS or JS operating on the web site the increase was energetic on.
