Arc has a feature called Boosts that allows you to customize any website using custom CSS and Javascript. Due to the potential security issues of executing arbitrary Javascript on the site, we choose not to allow Boost with custom Javascript to be shared among members, but we still sync them to our servers so that your own Boost can Use across devices.
We use Firebase as the backend for some Arc features (more on that below) and use it to consistently enhance cross-device sharing and synchronization. Unfortunately, our Firebase ACL (Access Control List, the way Firebase protects endpoints) was misconfigured, causing users Firebase to request a change to their CreatorID after building Boost. This allows any Boost to be assigned to any user (provided you have their user ID), thereby activating it for them, causing custom CSS or JS to run on the website where that boost is active.
