Arc's Boosts feature allows users to customize websites with CSS and Javascript, but due to security concerns, these scripts aren't shareable. However, they still sync across devices using Firebase.
Due to misconfigured Firebase ACLs, users could alter the creatorID of a Boost. This misconfiguration meant that any user could reassign a Boost to their account, leading to potential misuse.
Collection
[
|
...
]